CN104981813A - Securing accessible systems using dynamic data mangling - Google Patents

Abstract

Systems and techniques for securing accessible computer-executable program code and systems are provided. One or more base functions may be generated and blended with existing program code, such that it may be difficult or impossible for a potential attacker to distinguish the base functions from the existing code. The systems and code also may be protected using a variety of other blending and protection techniques, such as fractures, variable dependent coding, dynamic data mangling, and cross-linking, which may be used individually or in combination, and/or may be blended with the base functions.

Description

Dynamic data recognition coding is used to protect addressable system

Technical field

The present invention generally relates to electronic computing device and computer system, and more particularly, and to relate to protection be addressable and software in equipment under fire and system and firmware.

Background technology

The use on their various forms all of computing machine, electronic computing device and computer software is considered to very general and growing.In addition, general along with powerful communication network, computer software programs and data file can accessed, exchange, copy and distribution easy also growing.In order to the efficiency utilizing these computing machines and communication system and they to provide, exist for storing safely and the needs of method of switching computer software and data.

A kind of method of the verified maintenance confidentiality that widely uses and accept or privacy uses secret cipher key to data encryption.Existing encryption system is designed to protect their privacy key or other secret datas from " black box attack ".This is such situation, and wherein assailant has the knowledge of algorithm and can check the various input and output from algorithm, but does not have observability (such as adaptively selected I/O is attacked) for the execution of algorithm itself.

Although the cryptographic system depending on black-box model is very general, show that this model does not reflect reality.Usually, assailant is in the position of at least certain aspect of the execution observing algorithm, and have and with carry, (that is, channeling side attack, such as timing analysis, power analysis, cache attacks, direct fault location etc. are successfully attacked to enough access of target algorithm.) such attack be commonly referred to " grey box " attack, institute it is assumed that assailant can observing system execution at least part of.

Recognize this, made efforts to design the more powerful attack model of opposing---the cryptographic algorithm of " white box attack " and data channel.White box attack is the attack to software algorithm, and wherein hypothesize attack person has complete observability for the execution of algorithm.Up to now; such protection system experienced by rational success; but because such protection system becomes more and more accurate, so attack technology also more and more accurate (such as coding minimizing is attacked, statistical bucket (bucketing) is attacked and homomorphic mapping is attacked).Therefore, many existing white box protection systems are just being shown for coalition-resistance it is invalid.

Software obfuscation by means of simple code is using sometimes.In order to be useful, such application be coded in software obfuscation excessively must increase the Time and place consumption of software, and therefore such coding is typically relatively simple.Therefore, although they can integrally protection software, they do not provide the security of height.There is many communication boundaries in software, described border represents concrete fragility: the data of not protected form enter or go out to obscure the passage of program, data enter or go out passage that password in software or hardware realizes etc.The intensity of existing coding strategy is typically by the serious restriction of the size of data of their protections.For routine coding, so shielded item is approximately 32 bits, is 64 bits sometimes, and is the more small data segments of such as character or byte sometimes.In view of coding and the restriction of operand size, the Brute Force quite rapidly to such coding generally cannot be prevented.

Therefore, exist and more effective secret hidden and the needs of tamper-resistance techniques, thus the protection of the overall protection to software code and data and the data to secret privacy key, biometric data, encryption etc. is provided.Also expect the protection to software border that form more much better than than conventional simple code is provided.

Summary of the invention

Embodiments of the invention always aim to provide more effective secret and hide and tamper-resistance techniques, thus provide the protection to software code and data, and do not worry that security will be destroyed.

Method and system disclosed herein is not limited to any specific base program.They can be applied to cryptographic system, but equally, can be applied to non-cryptographic system.Protected code also not regulation protection it done what is write, so resist technology is by the constraint of basic code.Relative to other resist technologies of the pattern that may stay or create based on basic code, this can provide benefit.Such pattern may provide can victim utilize weakness.

Embodiments more disclosed herein provide " deep data dependence ", and this can make the code being difficult to maybe can not mediate or distinguish shielded code and provide protection.Such as, aes algorithm typically performs same way all the time, and no matter is how to input data.This makes assailant directly until what he looking for and where finding it.The white box protection system of great majority has rigidity equation structures, the problem of its unresolved the type.That is, assailant can know the operation or effect of looking for what type, and when carries out checking to find those operation or effects in code or execution.Relatively, embodiment disclosed herein can provide nonrigid coding, and such as wherein, each iteration of protection algorism causes different codings.Therefore, system is extremely unrepeatable.Inter alia, this can make embodiment disclosed herein be more resistive for " comparison " type flaw attack, " compares " in type flaw attack at this, and assailant changes 1 bit and how object observing program changes.With in embodiments more disclosed herein, if assailant changes 1 bit, then shielded code will seem complete difference.

As general introduction, the embodiment of instrument described herein, a series of instrument and technology can be grouped as follows:

1) for system and the technology on the border between fuzzy object code module and between object code and protecting code.This such as can by being blended together code and surrounding code and password and other codes being carried out interweaving realizing, and this does not usually complete in other protective system.

2) system and technology that need people to intervene for guaranteeing to break.The pattern that people has seen before finding them.By introducing random function according to embodiment disclosed herein, can remove repeatability and/or common schema, it is invalid to a great extent for making automatically to attack.

3) for the protection of system and the technology of taking precautions against " comparison attacks ".As mentioned above, comparison attacks be wherein compare code perform twice iteration with the attack referring to difference, such as change single input bit with check operation and export how to change.Protection algorism as disclosed herein can produce dynamically different functions, so comparison attacks does not provide any useful information with each iteration of protected code.

The whenever realization that obfuscation described herein can be able to be accepted in expense.White box protection system typically has larger expense than technology described herein, and is therefore in a disadvantageous position.

Some embodiments comprise system for software protection and technology, and it is by operating to object code application dijection " basis function ".These basis functions are reciprocal functions pair , it is such as operate coding, and the place of point after a while then in software application is not to operate coding.Coding makes the data of original function and its generation fuzzy.Information is not lost, because encoding operation does not hold encoding operation, thus " cancels " after a while in encoded application or " reversion " its impact.Basis function can be selected can not easily to find making assailant or determine inverse function.That is, given function , may be not easy to find inverse when there is no key K .Key K can use when code building, but any once function generate and be applied to object code and be just dropped.These basis functions are to being also harmless, that is, mathematically reversible.Protected software application do not need completely to function or process decode with in object code other positions use it because coding and do not encode change be included in encoded application.In certain embodiments, may preferably, basis function is " degree of depth is nonlinear ", therefore makes homomorphism attack more may.In certain embodiments, basis function is to comprising permutation polynomial coding.Permutation polynomial is reversible polynomial expression (polynomial expression dijection).

Some embodiments can generate or use basis function pair, generate " example diversity " and " dynamic Diversity " to make them.In order to realize " example diversity ", each basis function to safety " communication channel " can be created, such as between the part of software application, between two software application or platform etc.Dynamic Diversity can by creating the action link of software to input data.Whenever such as performing coding for the communication between two encoded application, example and dynamic Diversity can be generated between two methods.Basis function can be height " text is correlated with ", so they provide the good resistibility of attacking plaintext and disturbance.If assailant changes any content, or even make the very little change of such as 1 bit value, then this change will cause very large behavior change.This feature and ordinary cryptographic code form distinct contrast, and described ordinary cryptographic code typically produces identical pattern and structure for each iteration of code, and the change no matter assailant makes.By making little change and observing impact, assailant can collect the information of the operation about cipher code, but he can not carry out same operation to using the software of system disclosed herein and technology for encoding.The diversity that embodiment disclosed herein provides also provides the resistibility to " class attack ".That is, can not provide such attack method in all cases, this attack method can systematically and automatically break each embodiment of the present invention.Also note, conventional white box realizes and code optimizer will not provide enough diversity to obtain any available protecting.

The diversity of inverse basis function and nonreversibility substantially increase the complexity of attack problem.With conventional software code or code protection system relatively; when attempting defeating system disclosed herein and technology; first assailant must calculate him and attack what function, code section, application etc., then how to invert to it, and then how to utilize it.

The diversity that embodiment disclosed herein provides can provide structure that is variable, Stochastic choice to carry out protecting code.Generate basis function and can depend on random or pseudo-random key to select basic function and/or key to the engine with coding.But, according to the key of embodiment disclosed herein cannot with the key of many convention security systems equally large (that is, 64 or 128 bits); On the contrary, it can be thousands of or tens thousand of bits.Such as, the prototype of exploitation uses 2000 bits.

Basis function disclosed herein can comprise for encoding, decoding or the dijection of data of recoding.Such dijection can comprise following characteristic:

1) wide data element coding (typically, four or more principal computer word is wide) and typical scalar encodes ([5,7] see listing in annex) difference, but similar with block encryption.

2) only to data encoding: encode different from typical scalar, but with cipher type seemingly, they do not need protect except they to the recodification of data element in relate to those except calculating.

3) cancel data block or stream, and/or the regular length Hash of generation data block or stream is for authentication purpose, is similar to block encryption, but encodes different from scalar.

4) adopt the form of the operation specially selected from the operation instructing system of software, described operation will to reside in described software and described operation will with described software interlocks; That is, they are designed to the code in the similar context be embedded at them, but different from password.

5) encode from password and scalar both different, adopt magnanimity odd encoder.The general employing one of scalar coding or at the most several Mathematics structural.Password typically adopts slightly larger quantity, but this quantity is still very little.In some embodiments of the invention, various coding is applied to whole function, thus creates the structure producing and take pride in the mutually mutual intricate intertexture of multi-form protection.

6) encode from password and scalar both different, the algorithm structure that magnanimity is various is provided.Embodiment can not have the wheel of fixed qty, not used for the fixed width of the operand of each seed step, does not have the fixed interconnection of each seed step, and the iteration of predetermined quantity without any kind.

7) encode from password and scalar both different, magnanimity dynamic Diversity is provided: namely by means of altitude information related algorithm, for any concrete employing to basis function dijection, strongly depended on the real data input will encoded, decode or recode by the path, its iteration count etc. of its sub-step.

8) encode from password and scalar both different, the embedding context magnanimity interdependence with them is provided; That is, their behavior can depend on the software that they are embedded strongly, and the software that them can be made to be embedded depends on them strongly.

Some embodiments can use the actual entropy of large amount (that is, large true stochastic inputs).But, if the engine self generating basis function right is not exposed to assailant, then it can adopt significantly less key safely, then this remarkable less key generates much bigger pseudo-random key by means of Pseudo-random number generator, because in this case, the assailant's randomness that must deal with actual key entropy (it is for the seed to Pseudo-random number generator) and inevitably produce from the programming of this maker.

In certain embodiments, biased displacement can also be used.If internal data for generate basis function to or other coded data/functions and non-random numbers, then the coding produced will comprise biased.If introduce code to create the easily significantly biased displacement of coding possibility, then cause the weakness in system.Relatively, embodiment disclosed herein can generate biased displacement, but then uses various instrument to make them less biased.The method has shown much more not obvious than known technology.

Some embodiments can comprise for following technology: binding pipeline starts to terminate with pipeline, make target software code be lain in application or platform at two ends.Such as, transmit in environment or digital rights management (DRM) environment at peer-data, this can be useful.System disclosed herein and technology can also be used for password to lie in other software application or platform, and this uses routine techniques to be generally difficult to.

Some embodiments can use " intertexture of index functions ".This technology provides the dark nonlinearity solved from linear unit and nonlinear equation.It can use in many ways, and such as boundary protection, dynamic constant generate (such as, key is to code), provide dynamic Diversity (data related function), from combination pin, password mixing and combination pin and non-password.Such as, it may be used for black box password to mix with other protecting codes disclosed herein, thus provides the long-term safety of black box password, has other benefits of white box security.As mentioned above, embodiment disclosed herein coding can with runtime data height correlation.With the intertexture of index functions, two kinds of information are used: key K, and it determines basis function and structure, and R, and it is determined which is obscured and will be applied to " definition realizes ".Typically, client can't see R.Key K can expand from context, but in examples more described herein, only R expands in like fashion.Alternatively, Code And Decode key when may be used for as run from the semi-uniform information of user or his equipment (such as smart phone, flat computer, PDA, server or desk side computer system etc.) or data (such as IP address).

Also the intertexture of recursive function index can be used.The intertexture of index functions typically interweaves to arbitrary function.If some in these functions are they self the functions obtained by the intertexture of index functions, then this is that the recurrence of the intertexture of index functions uses.

Some embodiments can comprise at random cross-linked, intersect capture, data flow replication, random cross connection and casual inspection, to reset sequence combined with code, creates omnidirectional's crossing dependency and variable correlative coding.

Some embodiments can use shuffles with buried data stream with the storer of fraction transformation (dynamic data recognition coding), and this also can be used.In dynamic data recognition coding, can use the array A of memory cell, it can be considered as having virtual index , wherein M be array size and at finite ring on the modulus (that is, integer mould M) of permutation polynomial p, as in c program array.But for any given index i, there is the unfixed position that it corresponds in an array, because it is addressed for p (i), and p adopts the coefficient determined from the input to program.Position can be considered to those " pseudo-register " of extension master machine .By by data shift-in and shift out these registers, to time each mobile to the data recodification of movement and by reusing these " pseudo-registers " (such as many different values, distribute by adopting graph coloring register), the difficulty that assailant follows the data stream of program can increase greatly.

Some embodiments can use, and " scattering and fusion " encodes.This is the another kind of mode that description basis function adds the use that code interweaves, and the border of its " coating " basis function is difficult to distinguish them to make assailant more.General data fusion can have the part mixed with other codes of basis function, makes more be difficult to mark and promote code.

Some embodiments provide safety lifecycle to manage.Black box security provides good digital preservation, but not too useful in the application of today.Embodiment disclosed herein can may be broken than realization and refresh described realization quickly on not protected equipment.Different equipment and application have different needs.Such as, the television broadcasting (such as competitive sports) of pay-per-use may have very little value in this race after several days, so may only be necessary to provide safe enough to protect this broadcast data at about one day.Similarly, computer game market may diminish fast after a few week, so key only may protect this game former week or several months.Embodiment disclosed herein can allow user to apply the level of security of needs, thus balance security and performance.On literal, adjustable " obscuring index dial " can be placed on control desk.Although the level of security of the specific definitions realized may be unknown, the intensity that the method for obscuring is employed can be controlled.Usually, these settings can adjust, as the part of software development process with the basis function that it embeds when applying and being created.Safety analysis can provide specificly to be obscured rank application of breaking to given and will have the estimation of many difficulties.Based on this estimation, the engineering decision how balance quality needs and security needs can be made, and " obscuring index dial " can be configured accordingly.Other protection systems of this dirigibility cannot obtain.Such as, utilize ASE, use fixing key length and fixing code, they can not be adjusted.

Some embodiments can provide security refresh rate flexibly, allow the balance of the complexity to " moving target " refreshing code.In many cases, required is refresh fast enough to remain ahead in potential attacker.

Some embodiments may not have the main target providing long term data safety in the environment exposed to the open air hacker.To this; scheme does not expose to the open air to hacker by data; but by such as protecting (safe ID(TM) for client is provided for certificate; pass-phrase etc.) web present and only expose to the open air access these data means; described client visits data via shielded dialogue, and described dialogue can expose sub-fraction data to the open air at the most.Expose to the open air in environment hacker, it is expected to deployment in the same manner to the process that the software exposed to the open air refreshes.Such as, in satellite TV conditional access system, the cryptographic key be embedded in the software in Set Top Box (STB) is periodically refreshed, and any infringement to key is had only for the value of finite time section.Current, such cryptographic key can be protected by means of software obfuscation and/or white box password this limited exposing to the open air on the period.

But, white box password has proved that for such attack be fragile, described attack most advanced and sophisticated assailant quickly may be performed by the cryptography with the expertise analyzing executable program, because the cryptographic algorithm adopted exist by the middle of the algorithm that the most thoroughly checks, and also become very meticulous recently for the instrument of routine analyzer.In addition, password has special computation attribute, because they in the calculation normally used arithmetic domain do not define through being everlasting: such as, AES defines on Galois Field, RSA common key cryptosystem is defined by the modular arithmetic on very big modulus, 3DES on bit arithmetic, look-up table and with the bit permutation copying bit extension.

In fact, the explication de texte of program is created and sometimes can walk around cryptanalytic needs completely: code hoisting has been attacked, assailant extracts cryptographic algorithm simply and adopts the functional of its (because it is the piece of software of operation after all, although it can be confused) software application of breaking when not analyzing further thus.

Some embodiments can provide much better than resisting the short-term of attacking.The system that the time that such protection can be suitable for wherein needing to resist is relatively short, because reside in by means of refreshing the software exposed to the open air on platform to solve long-term safety.Which solve the demand of specific blank; it pays close attention to by the nervous point of following establishment: highly meticulous cryptanalysis instrument and knowledge, by extremely investigative password, via the available limited protection of software obfuscation, for analyzing the height precise fine workmanship tool of executable program, and the exposure times that software is limited in typical commercial content distribution environment.Target is the attack preventing these kinds, the experience of white box password is used to be depicted as in the prior art: cryptographic attack and/or code hoisting are attacked so fast fast, even if to such an extent as to be given in and expose validity life span limited between the refreshing of program (such as STB program) to the open air, they also have value.

In many cases, be only necessary to resist the analysis in duration during the refresh cycle, and password is replaced so closely lie in it and reside in application wherein, thus code hoisting to attack also be infeasible within the duration of refresh cycle.Refresh cycle rate is determined by engineering and cost consideration, have how many bandwidth to distribute to refreshing, how refreshing can not lost service quality etc. by smoothly together with ongoing service assembly: these are all in the problem providing very good understanding in conditional access system field.These are considered to indicate roughly and how long must adhere to for analyzing and promote the protection of attacking us.

Some embodiments can by the following significantly larger coding providing the attack can resisted in longer time section: the idea abandoned with encoded operand carries out calculating---as above uses better simply coding to do---and replaces it by the things more as password.Password itself can be and really for this object, but they usually can not easily interlock with common software, because (1) their algorithm is fixing and (2) their calculating is typically very different from common software and be therefore both not easy concealed being also not easy and its interlocking within it rigidly by password standard.Basis function described herein provide allow concealment and interlocking substitute: they utilize routine operation, and their algorithm is greatly more flexible compared with the situation with password.The black box level of security equally strong with ordinary cryptographic can combine with the white box level of security of the simple code be significantly better than as above and known white both box passwords with cipher code set is incompatible by they.

In certain embodiments, basis function can be created: select word size w and vector length N by following, and generate reversible state phasor function, described reversible state phasor function is configured to operate the N vector of w element word, and described reversible state phasor function comprises the combination of multiple invertible operation.Described state vector function can receive the input of at least 64 bits and provide the output of at least 64 bits.The Part I of the step in described state vector function exists linear or the affine calculating of upper execution.The first and second parts of technology to the step in described state vector function of indexing are used to index.At least one operation that then can be modified in active computer program performs described state vector function to replace selected operation.Each technology of indexing can control different operations of indexing, cipher key index of such as if-then-else structure, switch, element substitution selection, iteration count, element rotation counting, index functions etc.Some of step in described state vector function can be non-T function operation.Usually, each step in described state vector function can be reversible, makes whole state vector function inverse but reversible by getting each step.In some configurations, described state vector function can use key when such as running, key or the key of index functions carry out encrypting key when generating.Described state vector function can be realized by various action type, such as linear operation, matrix manipulation, random exchange etc.Various encoding scheme can also be applied to input and/or the output of described state vector function, and/or the operation of described state vector function.In some configurations, different codings can be employed to produce fraction at each some place joined with described state vector functional dependence.

In certain embodiments, basis function disclosed herein can be performed by such as following: receive the input with word size w, to described input application reversible state phasor function, described reversible state phasor function is configured to operate the N vector of w element word, wherein said reversible state phasor function comprises multiple invertible operation, and the Part I of step in described state vector function exists linear or the affine calculating of upper execution.Can to the output application operation bidirectional of described reversible state phasor function, wherein each operation to be indexed technology and selecting based on difference.Usually, described state vector function can have herein about any attribute disclosed in state vector function and basis function.

In certain embodiments, the first operation by performing the second operation to perform, such as, can be performed by following: receive the input X being encoded to A (X) with the first coding A, use value can executable operations to described input execution more than first computing machine, wherein be the inverse of the second encoding mechanism B, described second coding B is different from described first coding A, based on output is provided.Such operation can be thought " fraction ", and operation can be allowed to be performed and be inaccessible or sightless for external user or for potential attacker.In some configurations, the output of described first operation is not supplied to executable code by outside, and described first operation is integrated with described executable code.

In certain embodiments, inputting and the matrix manipulation that output is provided for being configured to reception, before the operation is performed, described input can be replaced according to sorting network topology.The input after displacement can be used to perform described matrix manipulation to generate output, and replace described output according to described sorting network topology.Output after displacement can be provided as the output of described matrix manipulation.

In certain embodiments, the first input can be received, and input the first function of the intertexture of utility function index to generate first output with left half and right half to described first.The second function of the intertexture of utility function index can be exported to generate the second output to described first, wherein, described first left half exported is used as the right input of described second function, and the described first right half exported is used as the left input of described second function.Then described second can be provided to export as the coding to described first output.

In certain embodiments, can key K be generated, and based on key K and randomization information R next life basis function in a pair .Can to the first end application basis function of communication pipe , and inverse to the second end application of described communication pipe, described key K can be abandoned afterwards.Communication pipe can across the application on single platform or on separation platform.

In certain embodiments, one or more operations that will be performed the program term of execution by computer system can be replicated to create the first copy of one or more operation.Program is any can be modified to execution first operation copy but not the first operation.Each operation and corresponding copy can use different coding to encode.Operate and create check the value to also may be used for, such as wherein, the difference between the execution and the execution of copy of operating result is added to the result of operation or operates the result copied.This amendment that detection assailant can be allowed to make program the term of execution.

In certain embodiments, comprise multiple operation and each operation copy program the term of execution, arrive should perform the execution point of the operation in multiple operation at its place time, copy or primitive operation can be selected at random and be performed by program.The result of the operation of Stochastic choice can be equal with the result will obtained when only having the single copy of operation to be performed.

In certain embodiments, input can be received from application.Can by multiple M register position define the array that size is M, .Can also definition substitution polynomial expression p, from input produce z based on input vector mapping matrix A, and a series of constant .Then can perform sequence of operations, each operation provides intermediate result, and described intermediate result is stored in from the M register of M register Stochastic choice.Then based on a series of intermediate result, end product can be provided to application from the last M storer storing end product.The each intermediate result be stored in M register can have the independent coding being applied to intermediate result before intermediate result being stored in corresponding M register.The different coding being applied to intermediate result can be selected randomly in the middle of multiple different coding.Similarly, the intermediate result be stored in M register can be applied to by the different coding maybe can not corresponded to for intermediate result being stored in the coding in M register.New M register can be assigned with as required, such as, be only assigned with when needing according to node coloring algorithm.

In certain embodiments, at least the first value a is produced as the first operation exported can be performed, and use a and the second value b that the first variable x is encoded to aX+b.AX+b can be used to perform the second operation as input , and the decode operation using a and b can be performed, a and b can be dropped afterwards.Value b can also be the 3rd operation output.Use and/or difference perform example, different coding may be used for the multiple input values being encoded to aX+b.The expeced time that can be stored in memory based on one or more constant selects these values from any value be stored in computer-readable memory.Similarly, comprise for executable operations with the active computer readable program code of instruction can be modified to x is encoded to cX+d, and when implemented at least produce the first value c.Can at least one x executable operations , and c and d is follow-up is dropped.

In certain embodiments, at least one basis function can with the executable program code fusion for existing application.Such as, by replacing at least one operation in existing program with basis function, basis function and executable program code can be carried out fusion.Can also by applying one in technology disclosed herein, basis function and existing application are carried out fusion by some or all, described technology comprises fraction, variable correlative coding, dynamic data recognition coding and/or cross-linked.The basis function used and/or any Blend process can comprise or can comprise such operation exclusively, and the operation presented in the part of described operation and their existing application codes of fusion is with it similar or undistinguishable.Therefore, assailant may be difficult to or can not when there is no basis function from by present existing executable program code those in distinguish basis function and or hybrid technology operation.

In certain embodiments, can provide a kind of computer system and/or computer program, comprise the computer-readable recording medium of processor and/or storage instruction, described instruction makes described processor perform one or more technology disclosed herein.

In addition, can be relative flexibly with open because disclosed herein with the algorithm that basis function uses together, so they allow the scheme of softwares multifarious high flexible, and deeper different compared with the example the changed situation possible with using white box password.Therefore, they are not far subject to the attack of attack automatically.As long as attack can be forced to need people to participate in, be exactly highly favourable, because we can the example of newly-built protected code and data can be automatically generated with computer speed, and only can damage them with mankind's speed.

In examination the following drawings with after describing in detail, other system of the present invention, method, feature and advantage will be for those skilled in the art or will become clear.To be intended to all such spare systems, method, feature and advantage to be included in this instructions, within the scope of the invention and by the protection of claims.

Accompanying drawing explanation

In the accompanying drawings:

Fig. 1 shows according to the commutative diagram for encryption function of the present invention;

Fig. 2 shows the general order format of virtual machine according to the present invention;

Fig. 3 shows virtual machine according to the present invention and enters/exit instruction form;

Fig. 4 shows and builds according to mark I of the present invention " wooden man (Woodenman) ";

Fig. 5 and 6 shows point other first half-sum that mark II according to the present invention builds the second half;

Fig. 7 shows and represents according to the figure of sorting network of the present invention;

Fig. 8 shows the process flow diagram of the method for the intertexture according to execution index functions of the present invention;

Fig. 9 shows the process flow diagram of the method that execution control flow check according to the present invention copies;

Figure 10 shows the process flow diagram of the method according to execution data flow replication of the present invention;

Figure 11 shows according to establishment of the present invention the process flow diagram of the method for section;

Figure 12 gives the processing flow chart for realizing mark II protection system of the present invention;

The figure that Figure 13 shows the irregular structure of the section design that mark III of the present invention realizes represents;

The figure that Figure 14 shows the granularity of the T function division realization in can realizing with mark III of the present invention represents;

The figure that Figure 15 shows the general structure that mark III of the present invention realizes represents;

The figure that Figure 16 shows the defence layer that mark III of the present invention realizes represents;

The figure of the mass data coding that Figure 17 shows in realization of the present invention represents;

The figure of the control flow check coding that Figure 18 and 19 shows in realization of the present invention represents;

The figure of the dynamic data recognition coding (mangling) that Figure 20 shows in realization of the present invention represents;

The cross-linked figure of capturing with intersection that Figure 21 shows in realization of the present invention represents;

The figure of the context-dependent encoding that Figure 22 shows in realization of the present invention represents;

Figure 23 gives the processing flow chart for realizing mark II protection system of the present invention;

Figure 24 show in the present implementation mass data coding or dynamic data recognition coding typical case use figure represent;

Figure 25 shows and sets forth the block diagram that embodiments of the invention seek the subject matter solved;

Table 25 gives the table of classifying to software boundary problem;

Block diagram that Figure 26 shows not protected form, white box protection and carry out the example software system protected by system of the present invention;

Figure 27 shows the histogram of the protection level that contrast is provided by black box security, white box security and the protection under exemplary embodiment of the present invention;

Figure 28 shows contrast password, Hash and the processing flow chart according to exemplary basis function of the present invention;

Figure 29 shows basis function of the present invention can how for providing the block diagram of secure communication conduit;

Figure 30 shows the processing flow chart according to the intertexture for index functions of the present invention;

Figure 31 gives the processing flow chart for realizing mark I protection system of the present invention.

Embodiment

Embodiment disclosed herein describes the system that may be exposed to the aspect of assailant, technology and the receiver program product that can allow protection calculation machine system.Such as, in the commodity hardware for final user's operation the software application of having distributed may suffer the term of execution there is the attack of the entity of the access to code.

Generally speaking, embodiment disclosed herein is provided for the set of establishment basis function and in the following manner those functions and existing program code is carried out integrated technology: make to be difficult to for potential attacker or can not to isolate, distinguish or closely check basis function and/or existing program code.Such as, process disclosed herein can receive existing program code and basis function and existing code be combined.Also the various technology of such as fraction, dynamic data recognition coding, variable correlative coding cross-linked and/or as disclosed herein can be used to combine basis function and existing code, with further fusion basis function and existing code.Basis function and other technologies can use and calculate upper those similar, identical or undistinguishable operations used with existing program code, and this can increase the difficulty that potential attacker distinguishes the resist technology of protected code and application.As will be described herein, this can provide such final software production, is more resilient for various attack compared with when it is possible with use GPF (General Protection False technology.

As shown in Figure 25; embodiment disclosed herein can be provided for the solution of some basic problems; these basic problems occur when wanting protection software to be immune against attacks, shown basic problem such as software boundary protection, advanced diversity and recyclability problem and protection scalability issues.

Software boundary problem can be organized into five groups, as shown in table 1: crust problem, data boundary, code boundaries, the border between protected data and protected code and the border between protected software and secure hardware.

Table 1

" the crust problem " that there is three types can be solved by embodiment disclosed herein: from not protected to the data stream of Protected domain, from protected to not protected the data stream in territory, and the computation bound between not protected and Protected domain.Finally, data and user interactions should perform with uncoded form, make user be appreciated that this information.In each case, may be their data in infringement Protected domain and the starting point calculating homologue to the attack of not protected data and calculating.Routinely, when or not introducing credible enable mechanism boundary, these problems are difficult to solve.But the diversity that embodiment disclosed herein provides and the coding be certainly on border provide the degree of protection that known system does not provide.

Data boundary can be classified as one of three types: data type border, data dependency border and the data boundary across functional part.About data type border, current data transformation Technology Restriction is in independent data type but not numerous types of data or mass data.Border in the middle of unique protected data item is given prominence to, thus allows mark and subregion.About data dependency border, the data diffusion limited system via the protection of available data stream: original data stream and computational logic are exposed.Most of current white box password vulnerability is relevant to both data type and data dependency boundary problem.Finally, about the data boundary across functional part, it is pregnable for being all caused, because communication boundary is obvious in data communication in the middle of the functional part of application system---run on identical or distinct device or as client and server---.The use that embodiment disclosed herein interweaves to basis function coding sum functions index can some or all of these data boundary problems, because both data and border self can be fuzzy.

Code boundaries can be classified into two types: the functional boundary in the middle of protected parts and the border between injecting codes and the protected version of original application code.Functional boundary in the middle of protected parts is weakness, because the border in the middle of functional part remains visible after those parts of protection.That is, protect with white box, white box password part can calculate generally by their uniqueness and identify.Usually; protected calculation of sector like this can by easily subregion; thus the susceptibility produced for the attack based on parts, the described attack based on parts such as code hoisting, code replacement, Code Clones, playback, code smell spy and code deception.Similarly, the border injected between protecting code and the protected version of original application code is also generally visible.Current separately protected technology produces for the concrete protected code calculating localization.The code boundaries using different resist technology to produce is not bonded and is interlocked effectively.Relatively, embodiment disclosed herein can solve all these code boundaries problems, because code can be fuzzy and interweave with protecting code self to the use that basis function coding sum functions index interweaves.Because basic computer process and arithmetic function are for the protection of code, so there is not assailant by the unique code of fast identification.

Border between protected data and protected code presents another weakness, and this weakness may utilize, because current white box technology does not protect the border between protected data and protected code by victim.Relatively, embodiment disclosed herein can by protected data together with protected code lock, thus prevent code or data from promoting attack.Current white box password realizes attacking for the such lifting in this area being subject to this attack.

Similarly, the border between protected software and secure hardware presents fragility, because existing white box technology does not protect the border between protected software and secure hardware---and the data across such border are not protected or be subject to weak protection.Relatively, protected hardware and protected software can relative to each other lock by embodiment disclosed herein.

Also there is tissue (logistical) problem be associated with security, particularly, diversity and recyclability problem.Current program diversity is subject to the restriction of program structure and structure, and the circumscribed restriction of the separately protected technology applied.As a result, the diversified example not degree of depth changes (such as, program structure change and limited), and example may be enough similar, thus allow the attack of diversified example based on the comparison.Current resist technology is limited to static diversity and fixing security.Relatively, embodiment disclosed herein can provide dynamic Diversity, and it can allow Based Intelligent Control to the security level that diversity and recyclability provide and management.Disclosed in herein further in detail, solve advanced diversity and recyclability problem can be basic for security life cycle management.

Figure 26 shows the block diagram of the example software system protected under known white BOX Model and under example embodiment disclosed herein.The source code protected and data function, module and storage block are represented by the geometric configuration being labeled as F1, F2, F3, D1 and D2.Existing white box and similar resist technology may be used for protecting various code and data function, module and storage block; even if but under protected form, (at least minimally) is also disclosed in the not protected data of their boundaries and other information by them.Relatively, embodiments of the invention can solve these boundary problems.In some cases, once the example of embodiment is performed as disclosed herein, which part observer just can not tell according to original program is F1, F2, F3, D1, D2 and data, even if observer has the access of program and can observe and change its operation is also like this.

This can such as by realizing code weave at different code with between data function, module and storage block, thus by these parts " bonding " together.Make code be closely connected by this way, real boundary protection can be provided.As described above, diversity and recyclability provide in the following areas: 1) provide much bigger dirigibility than system in the past; 2) easy and strong control; 3) dynamic Diversity and security is realized; And 4) can measure and manageable diversity.Embodiment disclosed herein can also provide " the complicacy attribute " of unidirectional bijective function and can measure, can to control and can Audit Mechanism, to ensure security needed for user.Hereinafter describe in further detail dijection, but in brief, they are harmless functions pair , it performs letter transformation of variable, and this conversion is cancelled after a while in protected code.This conversion can come by thousands of or millions of kinds of modes, and often kind of conversion has generally come in completely different and unrepeatable mode.Various technology may be used for hiding existing program, thus realizes a large amount of odd encoders (multicoding) of bijective function, and it is not artificial programming but is generated by random computation process.This comprises can with the bijective function solving boundary problem of the mode as password and Hash.

Relative to routine techniques, embodiment disclosed herein can provide the security of improvement and safety (that is, effective security and effective security metrics).Diversity on the larger Time and place that provides than white box password can also be provided.Security metrics is based on the computational complexity of known attack, and basic primitive is the generation that reciprocal functions is right.Other primitive can with or need not symmetrical or asymmetric auxiliary key construct as described herein.

The attribute of conventional black box and white BOX Model and embodiment disclosed herein contrasts by Figure 27 in long-term safety and anti-hostile attack.Cryptology depends on password and Hash to a great extent; Password makes secret can transmit on dangerous or common signal channel, and Hash makes source effective.These abilities have the use of vast number.In black box environment, such cryptographic technique can have extraordinary long-term safety.But in attack resistance, such system has the very short life-span.As explained above, password and Hash have strict structure and very standardized equation, and they are directly under attack.The protection of white box may be used for the rank improving attack resistance, but even if in this environment, protected code will disclose pattern from original password code and hash code and equation, and border will be not protected.In addition, white box protection will not provide protecting code to attack from upset (perturbation).

Relatively, embodiment disclosed herein can be incorporated to as password and the coding as Hash, and this encodes to the security and intensity with password and Hash to protection.In other words, the process white box coding being applied to password and Hash typically uses simple coding in trial protection and fuzzy very unique code.But technology disclosed herein can use strong, various coding to protect any code.Various coding disclosed in utilization and intertexture, the uniqueness in object code will be removed.Therefore, as shown, disclosed technology can provide protects much better than security profile (security profile) than conventional black box and white box.

Fig. 1 shows the commutative diagram of the encryption function using coding according to an embodiment of the invention.For f, wherein amount to, dijection and dijection can be selected. be fversion of code; dinput coding or territory coding, and routput encoder or scope coding.Such as dor rdijection be called coding for short.Wherein fbe in the particular case of function, then chart shown in Figure 1 exchanges, and utilizes calculating be the calculating utilizing encryption function.Additional detail about the use of such coding totally provides at 2.3 joints of annex.

Ordinary cryptographic and the attribute of Hash and those attributes of dijection basis function disclosed herein contrast by Figure 28.Password is harmless function; Their preserve all information of their codings, and therefore described information can not encoded and to be used with original identical mode.Password is reversibly provided, and a side is given one or more key, but is difficult to from expressly determining this one or more key with the example of the information (" expressly " and " encryption " Figure 28) of encryption k1, K2.Hash damages on certain length, but this is not problem usually, because Hash is general only for checking.Utilize Hash, be difficult to the example determination optional key from raw data and Hash (" expressly " and " Hash " Figure 28) k.

Basis function disclosed herein can substitute password or Hash provides service, because be difficult to from coding and uncoded function .Relative to accessing to your password or Hash, the advantage that basis function provides be the calculating that basis function uses and normal codes similar, this makes easier the code of basis function and object code to be carried out fusion.As mentioned above, password and Hash use and are difficult to fuzzy or hiding very unique code and structure, and cause fragility.

Reciprocal basis function as disclosed herein is to adopting random secret information (entropy) in following two kinds of modes: as determining reciprocal functions key information k, and how fuzzy as determining the randomization information realized r.

Such as, two reciprocal basis functions can by subroutine gwith hrepresent, be written as C.Basis function can be constructed by the basis function maker program of robotization or system, wherein git is mathematical function obscure realization, and hit is mathematical function obscure realization.Therefore, gmay be used for " encryption " data or code, then it can be used hnext " deciphering " (or conversely).

Alternatively, during except setting up except key K, key when operation can also be provided.Such as, if the input specific output of given basis function is wide, then key when extra input vector element can be used as to run.This is very alike with the situation of the password with such as AES-128.The typical case of AES-128 runs has two inputs: one is 128 bit keys, and one is 128 bit texts.This realization performs encryption or deciphering under the control of the key.Similarly, basis function can be configured to depend on that content of its extra input is differently encrypted, key (contrary with the Software Create time key K of the static aspect controlling basis function) when making actual extra input become operation.Basis function disclosed herein to set up when block makes relatively easily to indicate operation key for whether the realization of the two is identical, or for with for different; If add key during operation to selector switch vector, then its for with be identical, and add as key during operation that other are local to, then its with between different.

Compared with known white box system, key information kmay be used for selecting much different coding function, thus allow much better than room and time diversity.Diversity is also provided together with the other technologies to use in an embodiment of the present invention, and such as index functions interweaves, and it is correlated with via text and provides dynamic Diversity.Further diversity can also be provided by the variant that control flow check is encoded and mass data is encoded described hereinafter.

Basis function disclosed herein can be incorporated to or utilization state phasor function.Generally speaking, as used herein, state vector function is organized around the vector of N number of element, and its each element is wthe amount of bit.State vector function can use series of steps to perform, in each step, vector between zero with nbetween the element of quantity be modified.Revise in the step of zero element wherein, this step is in fact to state vector application identity function.

In certain embodiments, the one or more state vector functions used in structure basis function can be reversible.If for each in state vector function and institute in steps, there is step inverse, make applying step algorithm and subsequently applying step algorithm for inversion there is no clean effect, then state vector function is reversible.Perform inverse step algorithm by the original reverse order with them, the reversible step of any finite sequence is reversible.

wthe illustrated examples of the reversible step on the vector of bit elements comprises: be added by two elements, such as will iwith jbe added to obtain i+j; Element is multiplied by on strange constant; By get with on the product of invertible matrix the continuous of element or discontinuous sub-vector are mapped to new value.The inverse step be associated of these examples is respectively: from element jdeduct element i; Element is multiplied by on the multiplicative inverse of original constant multiplier; And by being multiplied by described inverse of a matrix, sub-vector is mapped to its original value.

Some embodiments can use one or more state vector functions with one or more index step.If except its normally input, it is also got extra index input and makes change index just change computing function, then step is indexed.Such as, index can be carried out by constant vector to the step of adding constant vector, or index can be carried out by the step of the displacement of application to displacement sub-vector.In each case, performed specific function determined in the index at least in part by being supplied to function.

The step of index can also be reversible.Usually, if be each index calculation reversible step, and for the index that calculates described step or be available from its information that can obtain described index when inverting to described step, then the step of index is reversible.Such as, if be defined, and index (17) is available to guarantee it in the suitable time calculated when inverting to state vector function, then reversible.Exemplarily, step can operate some elements of described state.In order to carry out index to this step, other elements of described state may be used for calculating described index.If perform reversible step to other elements subsequently, then can obtain index by inverting to those steps, as long as two element sets are not overlapping.

The intertexture of index functions as disclosed herein is the particular example of the principle of the use of index step in basis function.Other uses of index step as disclosed herein can comprise: the establishment of the state vector function of Password-Enabled key: the index set used in some index steps can be used as key.In this case, index does not obtain in calculating, but provided by extra input; That is, function is got state vector and is added that key is as input.If index step is reversible and common non-index step is reversible, then whole state vector function is reversible, quite picture secret key cipher.

Individual in certain embodiments, index information can provide or be used as the key of generated basis function.If carry out partly evaluation status phasor function when state vector function generates for index information, make index not explicitly appearance in the execution of generated function, then key when it is generation.If state vector function the term of execution generate for the treatment of the code of index information, explicitly in the execution of generated function is occurred, then it is key when running.If code is created on the index in state vector function in inside, then it is the key of index functions.

In an embodiment, basis function can based on the word size of initial selected or mark wconstruct.In some configurations, the default integer size of host platform can be used as word size w.Such as, in modern personal computer, default integer size typically is 32 bits.As another example, the short integer length such as used in C can be used, such as 16 bits.In other configurations, the word size of 64 bits can be used.Also select the vector length being used for basis function n, it represents wthe length of input and output in the word of size, typically comprises a four or more word in inside.In certain embodiments, when such as using interleaving technology as disclosed herein, word size wcan be preferably nthe twice of the internal word size of vector.Then state vector function can be created by the combination of cascade series of steps or step, each step pair welement word nvector performs reversible step.State vector letter inverse of a number can by generating with the inverse of reverse order cascade step.

In certain embodiments, one or more key can also be incorporated in state vector function.Various types of key can be applied to state vector function or integrate with state vector function, comprises key when running as previously described, key and index functions key when generating.The state vector function of key when adding operation to generate, this function can be modified to explicitly and receive key as the extra input to function.The state vector function of key when adding generation to generate, the code in state vector function partly can be assessed for provided key.For being permitted eurypalynous operation, situation independent like this or the situation in conjunction with typical Compiler Optimization can be enough to make key be expendable or unconspicuous in generated code.In order to generate the state vector function adding index functions key, can be make state vector construction of function according to the needs in state vector function to be provided for the appropriate keys of inverse operation.

In certain embodiments, preferably can select the such realization for state vector function, described realization accepts relatively wide input and provides relatively wide output, and described realization comprises the complete set of reversible step.Especially, can preferably construct such realization, described realization accepts the wide input and output of at least 64 bits.For a large amount of steps in state vector function, such as at least 50% or more, can be preferably on linear or affine operation.State vector function can also be preferably and select that there is wide in range diversified step.

In certain embodiments, can preferably use the index of various ways to such as at least 50% or more very most step carry out index.The suitable form of index comprises if-then-else or switch structure, element substitution selection, iteration count, element rotation counting etc.For some or all of index, index functions key as disclosed herein can also be preferably.

Individual in certain embodiments, for the initial of state vector function and/or final step, can preferably across the step of whole state vector Mixed design entropy, typically, described input entropy is different from the input of any independent key.

Individual in certain embodiments, preferably state vector construction of function just can be performed a non-T function step for making at least every several step.With reference to programming operation, the example of T function step comprise addition, subtraction, multiplication, by bit A ND, by bit XOR, by bit NOT etc.; The example of non-T function step comprise division, mould assignment (modulo assignment), by bit right shift position assignment (assignment) etc.Other examples of non-T function step comprise and add replacing etc. by element rotation, sub-vector of index functions key.As previously disclosed, the validity comprising the attack that can prevent or reduce some type that such as bit section (bit-slice) is attacked of non-T function step.

As previously described, state vector function is to comprising the completely inverse of state vector function as described herein and state vector function.In operation, the structure that state vector function is right can but might not by such as performing with under type: with the form of the linguistic source of such as C++ code etc., series of parameters algorithm and/or algorithm for inversion are combined.Similarly, during generation key replacement can but might not perform in the following manner: the combination of the use of the macro substitution in macro-preprocessor, function embedded (function in-lining) and parametrization masterplate.Such combination, replacement and other operations can be automated in example states generation system as disclosed herein.Once generate state vector function pair, scale-of-two and/or compiler level instrument can be used to revise generated code further to protect one or both wherein.In certain embodiments, whether the specific amendment made one or two function of state vector function centering can be expected in the environment probably attacked to perform based on each member is selected.

Such as, in certain embodiments, be expected the part being in function in exposed environments or function and can be bound to input vector and be provided near the point at state vector function place, and/or near the point that output vector is consumed by its invoke code wherein.Code can carry out gauge by such as using dynamic data recognition coding as disclosed herein and/or fracture.Such as, the input provided from the reservoir of code identification, and can export and can obtain from the reservoir of code identification by calling device.Other technologies may be used at these some places binding code, and all have cross-linked data flow replication of capturing with intersection as disclosed herein.Can use different combinations, such as wherein dynamic data code identification, fracture and data flow replication are all employed to bind code at described some place at identical point.The protection that expection is applied to code in exposed environments can be applied in the one or both of state vector function, and wherein the part of affected code is determined by required level of security.Such as, each may put or almost each may the place of putting application multiple Additional Protection type can provide maximum security; Apply single protection at multiple some place or only apply the level of security that multiple protect types can provide lower at single code point place, but can code building and/or the term of execution performance of improvement is provided.In certain embodiments, can run through generate and binding procedure in the application fracture of multiple some places because can there are the many chances for establishment of rupturing, this is owing to generating many linear and affine operations in the middle of the step of state vector function between its tectonic epochs.

In certain embodiments, it may be useful for making state vector function right another member of member more compact.This can such as by making the calculating of described another right member spend to have come more greatly.As particular example, when the member that state vector function is right uses in the exposure of such as smart card etc. and/or the hardware of power limited, the member resident for the hardware that state vector function is right can preferably more be compacted than in other embodiments disclosed herein.For this reason, the cost of the calculating of resident or other non-exposed member of the corresponding server that state vector function can be made right is significantly higher.As particular example, with uses as disclosed relative large coefficient of discharge and as desired by state vector function generation technique unlike, can repeating algorithm be used.The coefficient that repeating algorithm can use measurable stream generative process or similar source to provide, described measurable stream generative process such as random number generator, it uses the seed entirely defining generated sequence.The suitable examples of such maker is the pseudo-random generator based on ARC4.In certain embodiments, such as when available RAM or similar storer relatively limited, use the variable of less element size can be preferred.Pseudo-random number generator may be used for generating all matrix elements and displacement vector element.Suitable constraint can be applied to guarantee the reversibility of the function produced.In order to invert, can regenerate generated matrix by the knowledge of seed, cost is: on be created in and expose to the open air the complete stream used in member, read on the contrary, each matrix multiplication is inverted, and each vector element addition in displacement to be inverted.Therefore, the limited resources equipment of such as smart card can be adapted to be executing state phasor function to one of, and system still obtains at least some benefit of good working condition phasor function system as disclosed herein as a whole.

Secure communication conduit

As shown in the block diagram of Figure 29, basis function as disclosed herein may be used for providing the secure communication conduit (that is, e-link) from the one or more one or more application be applied on other platforms one or more one or more platform.Identical process may be used for protecting the communication from a subroutine to another subroutine on single platform.In brief, basis function pair this pipeline is protected in the encryption and decryption that may be used for by performing as password at each end of pipeline.In an embodiment, basis function pair pipeline can be applied to start to terminate with pipeline, and be applied to application and platform thereof, therefore they are bound together and they are tied to pipeline.This protection (1) is applied to pipeline and starts, and (2) pipeline starts to terminate to pipeline, and (3) pipeline terminates to application message stream.

Implement the illustratively as follows of such process.First, use random or pseudo-random process to generate key k.Then key is used kand randomization information rgenerate basis function pair .Then basis function is applied to pipeline to start to terminate with pipeline, makes operationally, pipeline starts to calculate and pipeline terminates to calculate .Then key can be abandoned k, because perform protected code not need it.In all application so, basis function specification will be for the specification based on password (being similar to the FIPS-197 for AES encryption and deciphering).Stealthy cover (Cloaked) basis function is the specific implementation (pipeline above starts to terminate with pipeline) of smooth basis function, and described smooth basis function is designed to the following trial of defeating assailant: find k, basis function is inverted (namely destroying encryption), or destroy any binding of illustrating above.That is, smooth basis function is such basis function, and it directly realizes or , and do not increase any fuzzy.Stealthy cover basis function still calculates or but it is not with much direct that mode is done like this.Its realization utilizes fuzzy entropy rto find for realizing or the technology being difficult to follow of Stochastic choice.For creating and using the further example of the technology of stealthy cover basis function to provide in further detail herein.

Index functions interweaves

In order to carry out protecting to attack from homomorphic mapping, embodiment disclosed herein can use such function to carry out alternative matrix function, and described function is (1) wide input; That is, the quantity comprising the bit of single input is large, make the set of possible input value very big, and (2) degree of depth is nonlinear; That is, described function is unlikely is converted into linear function by i/o coding (that is, being exported with independent by input separately of recoding individually).Make wide the making of input consume unpractical a large amount of storer by inverting to the violence of function tabulation in all inputs, and the non-linear homomorphic mapping that prevents of the degree of depth is attacked.

Some embodiments can use " index functions intertexture ", and it can provide the nonlinear diffusion of the degree of depth and/or chaotic parts.And if if only have the function from vector to vector not by matrix and any separately input and output encode come together to realize when, it is nonlinear that the function from vector to vector is only the degree of depth.If it is not that the degree of depth is nonlinear, then its " until I/O coding is linear " (" until I/O coding is linear " is the weakness be utilized in the BGE of dialogue box AES attacks).

Index functions is interweaved and allows the consistent degree of depth nonlinear system of the equation that will be solved by similar linear means.It may be used for the form promoting data correlation process, a kind of dynamic Diversity, and the character of the result wherein not only calculated but also calculating itself depends on data.Figure 30 shows the processing flow chart of example function index interleaving treatment, and single 4x4 function and a series of 4x4 function interweave by this example function index interleaving treatment.1x1 function and 1x1 series of functions situation allow the combination of the function of any kind, such as password and himself are carried out combining (in the spirit of 3DES) to increase key space; Different passwords is combined mutually; Standard cipher and other functions are combined; And hardware and software feature is combined in individual feature.

In example implementation shown in Figure 30, square-shaped frame represents bijective function, typically but must do not realized by matrix.Triangle has the identical input of the square-shaped frame that contacts with it, and for controlling the switch carrying out selecting in the middle of the function of multiple right sides, and wherein constrained input interweaves left side and right side constrained input, as shown:

If-left frame and right frame are man-to-man, institute thinks whole function;

If-left frame and right frame are dijections, institute thinks whole function;

Can divide if-left frame and right frame are MDS(ultimate range), institute thinks whole function, be no matter dijection whether.

If triangle and all frames are linear and are selected at random, then (by observing) structure more than 80% is that the degree of depth is nonlinear.

In example embodiment disclosed herein, index functions interweaves occur four times in specification.It comprises three 4x4 linear mapping for certain 4x4 matrix M at every turn.Each example that index functions interweaves has single left side function and 2 ⁴=16 right side functions.

Significantly, it can also be nested that index functions interweaves, and makes left function or right series of functions can self be the examples that index functions interweaves.In such an arrangement, result is the recurrence example that index functions interweaves.Generally speaking, compared with onrecurrent example, such example is more indigestible usually for assailant; That is, the recursive levels in index functions interweaves should increase the rank of ambiguity.

The corresponding mathematics manipulation that further example embodiment sum functions index interweaves provides in Section 2.9, and particularly, provides particularly in the 2.9.2 joint and Fig. 8 of annex.

Mark I system

Describe three kinds of particular example embodiments herein in detail, be called mark I, II and III system.The exemplary realization of mark I presents in the processing flow chart of Figure 31.In this example, square-shaped frame represents the matrix of mixing boolean arithmetic (MBA) polynomial code.The ambiguousness of MBA polynomial data and operate coding is likely very high and probably along with polynomial number of times increases fast.Each matrix is coded independently, and interface coding does not need coupling.Therefore, 2x2 recode can not with forerunner and follow-up linear combining.Central configuration is that index functions interweaves, and it makes text-processing be that text is correlated with.Use the simple variation with displacement, when low expense, the quantity of interleaving function can be very large.Such as, the row of 4x4 matrix and row are carried out displacement to provide 576 kinds and select.As another example, carry out with initial and last constant the selection that XOR provides relative very high quantity.Entropy mixes across the corresponding I/O of the optional matrix in left fixed matrix and the right side by initial and last recodification.Inside I/O on each matrix is recoded from rank to rank produce homomorphic mapping duty cycle, thus allow completely " birthday paradox " but fragility---duty cycle can higher can not be lower.

Example embodiment and the corresponding mathematics manipulation of mark I system provide in the 3.5th and Section 4 and Fig. 4 of annex.

But have been found that the realization of mark I type may have two weakness, these two weakness may be utilized in certain environments:

1) static coherence analysis may be used for isolated part.

2) shifting function only in " switch " and to compare be non-T function.Every other parts are T functions, and therefore use bit section attack can be recursively analyzable.

T function

From wbit words kvector arrives wbit words mthe function of vector mapping is tfunction, if for each vector pair ( and , and wbit number in bit words from 0 to w-1), then exist ywith y 'lowest number bit ratio in different element words exists xwith x 'lowest number bit in different element words is lower.

Therefore, the function as T function will have such attribute, as i>j, to input element the change of bit will not affect and export element bit.Typically, the bit rank numbering in word is considered to from low order to high-order bit, be considered as by word representing binary sized, therefore this can be claimed as again: export bit and only can depend on input bit that is identical or more low order.Therefore, perhaps likely " cut away " or ignore more higher bit still obtain valid data.With only use the known realization of hundreds of T functions relatively, some embodiments can also be incorporated to tens million of T functions.As a result, embodiment disclosed herein more can resist bit section attack and statistical attack.

Can from upper calculating with on forming the function that all operations is operated in w bit words is together T function.The fuzzy structure with T function property is subject to the attack of bit section attack, because likely by obtaining another legal T function from all word decline higher order bits in input and output vector from any T function.For correct bit shift, rotate by bit, divide operations or based on the remainder of divisor/modulus or modulo operation, T function property does not keep, described divisor/modulus is not the power of 2, for the function that its conditional minute makes a decision, T function property does not also keep, in described decision, higher-order condition bit affects the value that lower-order exports bit.Conditional branching and condition are based on the comparison performed, based on use six kinds of standard comparing in the condition of any one condition formed perform and all easily can violate T function condition, and in fact, in the normal code using branching logic based on the comparison, it is easier than obeying T function condition to violate T function condition.

Outside and inner fragility and attack opposing

By repeatedly applying bijective function pair in any one (wherein t function), perhaps likely accurately characterize the calculating using bit section to attack.In such attack, the operation of these functions is considered to all bits that have ignored except low step bit, and then ignores two bits of low order, etc.This provides information, until till reaching complete word size (such as, 32 bits), at the some place reaching complete word size, the complete information how showed about function can be obtainable, and it is equivalent to key kknowledge.This is outside fragility.When attack obtain realize the knowledge of details time, its do like this and need not to realize those details code carry out any inspection, and can be performed as the self-adaptation known plain text attack that black box is realized.

If described right function has with properties, then can there is more not serious fragility: each function serves as the specific T function on special domain, and the quantity of unique T function is low.In this case, statistical bucket is attacked and can be characterized each T function.Then, if any inspection also can need not be carried out to code by characterizing similarly in territory, then use self-adaptation known plain text attack, the member that assailant can be right described in complete characterization functional, walk around its protection completely, only use black-box approach.Significantly, can expect that unique T function with effective quantity is to defeat above attack.In mark III type realizes, such as, every section exists 10 ⁸with last unique T function, and have 10 on the whole ⁴⁰with last T function.Describe mark III type herein in further detail to realize.

In some cases, realize comprising the function realizing full cascade, that is, each input is depended in each output, and on average, changes an input bit and can change half output bit.The example of inner fragility can appear in the realization of mark II type, wherein, by realizing at certain some place " cutting ", perhaps the son corresponding to matrix is likely found to realize (parts), make correlativity rank be accurately 2x2(in this case, parts are mixer matrixes) or 4x4(is in this case, and it is l, sor rone of matrix).Once these are isolated, then the attribute of linear function allows the very effective sign of these matrixes.This internals attack, because it needs non-black-box approach: in fact it need the inside to realizing to check, is namely static (to determine correlativity) or dynamic (to characterize matrix by the analysis based on the linearity).

As general rule, prevent more external attack, and force potential assailant to depend on ever-increasing fine-grainedly to internal attack, the work of assailant becomes more difficult, and the most especially, assailant becomes more difficult and carries out robotization.The attack of robotization is especially dangerous, because they can provide class to break effectively, this allows all examples of given technology to be destroyed by the instrument that can widely disseminate.

Therefore; embodiment disclosed herein can by means of inner structure that is variable and that constantly complicate and the defence constantly having more change to provide such environment; in described environment; any breaking completely of example needs many sons to break; required son breaks different between example; different between example with quantity by the structure of the parts attacked, and the protection mechanism adopted is different between example.In this case, make attack robotization become enough large task, thus hinder assailant to attempt it.Within the long duration, the time by cost set up such attack tool, the protection disposed can be updated or otherwise can move to new technology, for described new technology, the algorithm of attack tool is no longer enough.

Mark II system

According to the block diagram that the example markup II type of the embodiment presented in Figure 23 and 12 realizes.Figure 23 presents the process to " the base kernel function " occurring 4 times in fig. 12.The complete execution flow process of flag activation II type system in figs. 5 and 6, and this execution flow process is described in further detail with reference to Fig. 5 and 6 in annex Section 5.1.

According in the realization of mark II Type Example, the explicit use of recodification passes through kthe functional part selected.Right side recodification and displacement be from every core 16 configuration and on the whole 65,536 configuration Chinese version is selected relatively.But the T function counting of 65,536 may be all too low for many situations on the whole; Even if ignore inner structure and Using statistics divides the blind bit of bucket to attack that the mark II that also may be enough to break when giving enough attack times realizes.

The balance that mark II type realizes is shown in Figure 12.Initial is as shown random static state selection with finally replacing and recoding.Exchange side between core 1 & 2 and between core 3 & 4 and half between core 2 & 3 exchange and guarantee that the text across whole textwidth is correlated with.But highly conventional structure facilitates the parts isolation analyzed by interdependency.Once parts are isolated, just T function can be analyzed by bit slice analysis.Non-T function part is simple and directtissima can be used to the non-T function that breaks.Therefore, mark II realizes being effective, and is useful in numerous applications, but and may make great efforts to compromise to enough access.

Mark II proposes to be similar to mark I, because it has fixing inner structure, only realizes there is index variation to central at basis function.Further describing of the mathematics manipulation of example embodiment and the correspondence realized about mark II is provided in Section 5.1 of annex.

Mark III system

With the above-described I of mark with mark II and realize relatively, the mark III basis function design according to embodiment disclosed herein can comprise with properties:

The structure that-unconventional and key is determined, makes assailant can not know the details of structure in advance;

It is functional that-altitude information is correlated with: change data can change the process to data, and it is resource-intensive that statistical bucket is attacked;

-relatively high T function counts (quantity being subject to the independent subfunction that the section of recurrence bit is attacked), makes to attack infeasible to the blind bit section of its T function;

-redundancy and implicit expression cross-check data stream, it is height resource-intensive that code revision is attacked; And

-comprehensively cause fuzzy correlativity, make the analysis based on correlativity be resource-intensive.

Figure 13 illustrates schematically showing of execution flow process in the part that example markup III type realizes.Perform flow process similarly with about marking I and marking the example that II type realizes describing, each parts can presentation function, process, algorithm etc., arrow represents the potential execution route between them.When leading to the difference in parts at different arrow, will be appreciated that the difference of parts can be performed, or the different execution routes in parts can be selected.As shown in Figure 13, mark III type realizes providing unconventional, key is relevant, data are relevant, data stream redundancy, cross-linked, cross-check, distort chaos structure, comprises nested index functions and interweave within index functions interweaves.Cross-linked can be omnibearing, because right side selection is depended on the input in left side but not exported in each intertexture, the simple code in each section is reordered and allows dextrosinistral cross connection and cross connection from left to right.As shown in Figure 14, the T function of unconventional superfine granularity divides and makes the attack of overall T function subregion be invalid.

Figure 15 shows another example schematic diagram of the part that mark III type disclosed herein realizes.As shown in Figure 15, initial and last mixing can use the linear transformation of 32 bit words with width 3 to 6.Can use five to seven sections, each section comprises the 3 band recurrence examples that index functions interweaves.Each band is that 3 to 6 elements are wide, and whole three bands always have 12 elements.Matrix is rotated by I/O displacement and I/O, and every section provides more than 1,000,000,000 T subfunctions: whole basis function has more than 10 ⁴⁰individual T subfunction.Data flow replication, random cross connection and casual inspection also can with code reordering sequence combined use, thus produce comprehensive crossing dependency.

In mark III type system, operable multiple difference defence totally illustrates in figure 16.They comprise such as following feature:

-convert the storer scramble of (dynamic data code identification), this buried data stream with fracture;

-at random cross-linked, intersect and capture and variable correlative coding, this causes general interior relevant and chaos tamper respondent;

-permutation polynomial coding and index functions interweave, this lashing wire sexual assault;

The structure of-variable Stochastic choice, this constraint anticipatory knowledge is attacked; And

-functional with runtime data height correlation, thus reduce repeatable and fetter statistical bucket and attack.

The further details of the realization about mark III type is provided in Section 6 of annex.Provide in Section 3.3 of annex for the correlated process of upper establishment invertible matrix.As shown with describe, also can use and initially and/or finally mix stelps, its example provides in Section 2.8 of annex.

By with the 2x2 dijection matrix each input be mixed in each output, condition of replacing exchanges, we can accurately take identical network topology, and when producing initial, each input of basis function is carried out with every another hybrid network that mixes, and our network that can finally adopt another such with by each output of basis function with often another mixes.As mentioned above, mixing is not completely uniform, and the condition of being replaced by blend step can be utilized to exchange reduce it and be biased.The input and output of section can also be subdivided, during such as, 6.2.3-6.2.7 as annex saves further described by details and as shown in Figure 11.

Data flow replication

Some embodiments can comprise data flow replication technology.Such as, as described below, for non-JUMP ... each instruction of ENTER or EXIT, can copy this instruction makes presumptive instruction closely follow after its copy, and can select new detecting device, if make x and y be instruction for the instruction of all copies, wherein y is the copy of x, then:

1) if x inputs the output of ENTER instruction, then corresponding y input uses identical input;

2) if x input has the output of the presumptive instruction u of copy v, then corresponding y input inputs from exporting corresponding v with u, and x input inputs from u; And

3) if x outputs to EXIT instruction, then corresponding y outputs to and special does not use destination node, thus indicates its output to be dropped.

Therefore, except branch, all calculating has original and copy appearance.

In order to realize this conversion, we continue as follows.

We add new instruction JUMPA(" any redirect "), it has in controlling stream graph (cfg) form twodestination unconditionalbranch, as conditional branching, but it does not input: alternatively, and JUMPA selects at random between two destination.JUMPA is not the substantial portion of VM instruction set, and or finally obscure in realization JUMPA will do not had to occur.

We use JUMPA in down-conversion process:

1) if realize not being also that SMA(static state is hided assignment) form, then convert thereof into SMA form;

2) for realization in BB each , come in the following manner with three BB come alternative it: create equal X _inew , and interpolation only comprises single with X _iwith the two is the new of the JUMPA instruction of target , make X _iwith --- two targets of JUMPA, and make sensing X _ieach non-JUMPA branch target alternatively point to .

3) realization is converted to SSA form (static single assignment), isolate each X _iwith in local data stream, but X _iwith the instruction of middle correspondence still calculates identical value.

4) by each in all codes merge back its X _iin, make from X in merging _iwith instruction alternately, make corresponding instruction to being in succession: to be first X _i-instruction, and be then corresponding instruction.

5) making is C _i--each branch target alternatively point to corresponding X _i, and remove all C _iwith bB.Now, data stream is replicated, and the original-shape of CFG recovers, and realizes not having JUMPA instruction.Remember which instruction is at each X _i-middle correspondence is to use in the future.

The further details copied about control flow check provides and is described about Fig. 9 in annex 5.2.6 saves, and Fig. 9 illustrates the instantiation procedure copied for control flow check according to embodiment disclosed herein.

Fraction and Fraction Functions

Usually, when producing encoded output, consuming accurately identical hypothesis coding, making encoded operation become , wherein for coding , , and wherein .

In certain embodiments, may be below favourable: export the value with a coding, and some other codings of follow-up input hypothesis.If x is outputted as and with the coding of post consumption hypothesis , then in fact we apply to uncoded value .Intentional mismatch between the coding of generated value wherein like this and the coding of hypothesis is called as " fraction ".If coding is linear, then Fraction Functions also, and if they are permutation polynomials, then Fraction Functions also be.

In certain embodiments, fraction may be useful in obscuring, because the calculating that they effectively perform does not occur in encoded code---amount and the form of the code performing normal cluster coding and the code adding operation by means of fraction are identical, and seem there is no obvious mode to eliminate the ambiguity of these situations, because coding itself trends towards being ambiguity to a certain degree.

Note, what define the attribute of fraction is Fraction Functions, such as .Usually, there is many differences to the selection consuming coding v and generation coding u, they accurately produce identical Fraction Functions.Such as, very possible is have , make for , it is identical Fraction Functions.Therefore, specify Fraction Functions to specify produce and consume the coding implying it.

Via the data scrambling of mass data coding

In U.S. Patent No. 7,350, describe mass data coding (MDE) in 085, the content of this patent is incorporated to herein by reference.In brief, MDE, thus to recode to memory cell to memory location scrambling in the mode as Hash in each storage, and comes dynamically to recode and reorientation to memory cell by background process.By making to obtain and store recodification mismatch, obtaining or storing and can perform addition or multiplication and continue to look like simultaneously and simply obtain or store.This makes assailant be difficult to eliminate the ambiguity only obscured between useful work.

MDE is compiled but not is only explained, thus the data structure supported is part implicit expression and is therefore well fuzzy.Actual address clock comes scrambling and heavily scrambling by background activity.As shown in Figure 17, the code of accesses virtual MDE storer is initially written as it is just accessing normal memory section.Then, by United States Patent (USP) 7,350, in 085, describing method revises code to adopt mapping techniques, and this mapping techniques is encoded to both the data in storer and position.Therefore, under the bottom of positive operation code, accessed position was moved everywhere along with the time, and the coding being applied to data similarly changes along with the time.This resist technology has sizable expense, but the meaning that its height dynamic property makes assailant see clearly the software using it is difficult.Unit is re-encoded when being stored and is periodically recoded by background activity.Addition or multiplication (key is controlled) are changed with can do the corresponding mismatch of recoding obtained to the recodification stored.The project obtained is re-encoded, but is level and smooth (not namely being uncoded).The project stored is not level and smooth before storing, and to storing the new cell encoding of recoding as Dynamic Selection.When not accessing the code of stored data, the data stored are insignificant.A program can have the uniqueness of any amount, non-overlapped MDE storer.MDE storer can move to another position as block from a position, or can via transmission medium from a program transportation to another program.That is, the message of enough bulks can be transmitted with MDE form of memory.

The original state of storer movablely not to be produced by hacker is visible, and therefore hides its content and how to obtain.That is, original state is especially fuzzy.

Confusion is controlled via control flow check

In U.S. Patent No. 6,779, describe control flow check coding (CPE) in 114, its content is incorporated to herein by reference.Code snippet is combined in the functional function groups had by following control by CFE: register switches: the functional multi-to-multi to code position maps; Outside entropy can when highly unrepeatable execution: identical source code becomes the many alternative execution in CFE code.Switched and assigned code by amendment register, what key information can control and be performed and the calculating therefore controlling embodiments of the invention execution.

The code (wherein letter representation code snippet) that the controlling stream graph of Figure 18 represents can be encoded as shown in Figure 19 like that.Shielded control flow check coding illustrates and controls the lower section that performs and register switch " activity " section selected and the group created by being combined in allocator.

CFE is compiled and is not only explained, thus the data structure supported is part implicit expression and is therefore well fuzzy.Group's combination multiple sections: namely, they have multiple possible functional.When the group of execution, its be movable one or more sections by its via sensing real data but not the operation of the register of dummy data determine.Identical section can occur in multiple group, has different data encodings: be multi-to-multi from the functional mapping to code position.

Allocator can be arranged as the section selecting to embody background process, thus makes to be difficult to distinguish backstage and foreground activity.Available entropy for determining which kind of alternative way performing a series of segments is used, thus provides Dynamic Execution diversity (non-duplicate execution).In addition, key information may be used for impact and assigns, and therefore changes representative algorithm.

Dynamic data recognition coding

As shown in Figure 20, maximization can be reused by what use the node coloring algorithm of Chaitin to make M register, only just distribute independent M register in case of need.As a result, M register is frequently reused, and makes assailant be difficult to follow data stream.

In order to do like this, first can select modulus M, permutation polynomial p on mould M ring, produce from input z based on input vector matrix A, and a series of constant , wherein , wherein value is unique, because p is mould M permutation polynomial.Be by position in size in the array X of M ( ) treat as " M register ".

In the computing interval, data can shift-in and shift out M register at random, and moves to M register from M register, each mobile time change coding.Some embodiments can also make randomly to encode and form not destroyed sequence, or can inject fraction as disclosed herein, wherein encode and do not match.

Given have at the fraction of the data in e1 of encoding, and input is assumed to be in coding e2, therefore calculates Fraction Functions .If e1, e2 are linear, then e3 is also.If e1, e2 are permutation polynomials, then e3 is also.Code has identical form, and no matter whether fraction exists; That is, it is ambiguity, and no matter whether fraction exists.Therefore, as previously described, fraction can provide the means injecting the calculating of hiding, and makes code before and after it is added, seem very identical.

Additional detail and the mathematics manipulation of the use of dynamic data recognition coding is provided at annex 7.8.14 joint.

Cross-linked and intersection is captured

The extensive application that cross-linked and intersection is captured can provide the aggressive chaos motion to distorting and upset attack, has much better than code conversion and magnanimity static analysis opposing.In an embodiment, cross-linked and intersection is captured and can be carried out as follows, as shown in Figure 21:

1) copy calculates at least one times;

2) between original paper and copy, connection is exchanged randomly.Because they are duplicates, so result can not change;

3) all calculating thus produced is encoded, make duplicate be absolute coding;

4) get randomly and copy result, and inject and calculate: their difference is added (=0), or by a result and another ring against (ring inverse) be multiplied (=1) and then add 0 or be multiplied by 1(with encoded form).The 0 encoded addition injected or 1 multiplication do not have impact functionally, unless distorted generation, in this case, and the performance of code chaos ground.

The benefit increased is that static correlogram becomes much more intensive than the static correlogram of original program, and it is very difficult that static analysis is attacked.Therefore, effectively distort needs (different coding) duplicate to be correctly identified and with same way effective under different coding to change correct duplicate.With do not have cross-linked with intersect common the distorting of capturing and compare, this realization is much more difficult.

The example implementation of data flow replication provides in the 5.2.8-5.2.10 joint of annex, and shown in Figure 10.Except it is entering and exit except the normal use in basis function, data flow replication and cross-check or capture these conversion for data stream in decision block also can be used to perform, comprise information from the transfer outputting to the input of decision block entering basis function, and information is from the transfer outputting to the input exiting basis function of decision block.

Context-dependent encoding

In certain embodiments, the ingredient that the right context of basis function can be the operation of basis function is wherein realized.Context comprises coming the information of self-application, hardware and/or communication.The context of basis function parts can also comprise the information from miscellaneous part, and these miscellaneous parts are the parts of the application that it resides therein.

With reference to Figure 22, the realization that basis function is right or like configurations can trustship on platform, hardware or other platforms signature constant can obtain from described platform, and can depend on that described platform is to make realization.Can preferably reside in for realization comprises in application, and application signature or other application constants can comprise application and obtain from described, and comprises described in can depending on and should be used for making realization.

Realization can also get such input, and further constant signing messages can obtain from described input, and can depend on that described input is to make realization.

Via the biased displacement of sorting network

Displacement can provide to be biased and is stored in the finite space by the alternative of a myriad of.Such as, row/column displacement may be used for non-duplicate 4x4 matrix to become 576 non-duplicate 4x4 matrixes.In certain embodiments, the order of calculating can be replaced, can generate and be correlated with to the degree of depth of the calculating of runtime data, etc.

With reference to Fig. 7, first some embodiments can carry out at each cross-linked place sorting, relatively and exchange when being greater than.In order to replace, perform exchange with 1/2 probability.Easily illustrate: if network correctly sorts with comparing-exchanging, then it utilizes random exchange to replace, and wherein FR displacement is as possible output.Some embodiments can use the boolean of 1/2 probability of recommendation to generate son to compare the value of two text based gamut permutation polynomial codings.

Such sorting network is replaced with bias mode, that is, some replacement ratios other more may because exchange configuration quantity be 2 ^{the quantity in stage}.But the counting of displacement equals the quantity of the element that will replace, this quantity does not divide exactly the quantity exchanging configuration.Although there be biased output, advantage is simplicity and high correlation functional with non-T.

Via the not offset displacement of samples selection

In certain embodiments, also not offset displacement can be generated in the following manner: in the middle of element, get r ₁first element (zero initial point) is usually selected by mould n unit, from surplus element, get r at random ₂second element is usually selected by mould (n-1) unit, etc.With this process, each r _iit is gamut text based substitution value.This can provide without biased and non-T function almost ideally.But with compared with the displacement based on sorting network, operation more may can be hidden in normal codes or with normal codes and interweave.

Constraint bit slice analysis

As explained above, it is conventional attack tool that bit section is attacked: repeatedly perform function and all bits ignored except significant bits, and be then two bits of lowest order, three significant bits etc.This allows assailant to obtain information, until reach whole word size (i.e. 32 bits), at this some place, the complete information how showed about function is obtained.

Use the function of T function and non-T function piece construction to have subdomain, on described subdomain, it is the T function be embedded in whole territory, and in whole territory, this function is not T function.In certain embodiments, making multiple such subdomain very large may be favourablely (such as, in as described herein mark III type system, can have 10 ⁴⁰above such subdomain), thus to make to attack point bucket of these subdomains be that height subdomain is intensive.In certain embodiments, freely use also to be calculated by non-T function at other places and make, such as at decision point place, in displacement, in record etc.

Example general data fusion mechanism

The figure that the typical case that Figure 24 shows mass data described above coding or dynamic data recognition coding uses represents.If to basis function input by such Fuzzy inventory device array, these two kinds of technology any one provide and result also by obtaining from the application of Fuzzy inventory device array, then assailant becomes the data stream being difficult to analyze the information entering or leave basis function, and it is more difficult for making the instrument of basis function.

Security refresh rate

In order to effective application safety life cycle management, application is typically necessary can to attack resistance on the basis of well afoot.As the part of this antagonism, such application can be configured in response to the security refresh message comprising security update information and certainly upgrade.Such upgrading can relate to patch file, table replacement, new password key and other security related informations.

Feasible level of security is such level of security, wherein application security is enough refreshed continually, the time that the time of the security cost damaging example is refreshed than the security making infringement invalid is longer, that is, example typically may be destroyed than them and be refreshed quickly.That yes is attainable with very high security refresh rate for this.But, so frequent refresh activity bandwidth consumed, and along with we promote refresh rate, the portions of bandwidth distributing to security refresh message increases, and available non-safety useful load bandwidth reduces.

Significantly, so designing suitable security refresh rate for often kind of application is all needs, because patient expense depends on that context varies widely.Such as, if our expection only has grey box to attack (sides adjacent channel attack) in cloud application, then, compared with expect with us when having white box to attack (that is undertaken by cloud provider office worker maliciously internals attack), we are by refresh rate lower for use.

To the certification of equality with chaos failure

Suppose that we have the application of wherein certification as password: mate reference value at the value G provided (namely when ) when, authentication success.Our concern of further hypothesis ought time can what there is, and if unequal, in any case we only think that Certificate Authority is no longer feasible.That is, when time we success, and if , then calculating further can failure simply.

By to any harmless function of both sides application, unaffected to the certification of equality: for any dijection , whether we can test equally has .Even if damage, if carefully selected make to work as time possibility enough low, also can remain valid (such as, as in Unix password authentication) with high probability to the certification of equality.Based on the technology described before this paper, we can perform such test simply.Describe before us and a kind ofly defeat the method for distorting in the following manner: the data stream between duplicate data streams, cross connection copy instances randomly, and perform encoded inspection to guarantee that equality is not compromised.Whether we can adapt the method to test has , or in coding form, whether have .

We notice generation data stream along wherein successful path replicate generation data stream.Therefore we compare omitted data stream copy step for this.Then, we carry out cross connection described above simply and insert inspection.By these are calculated the coefficient being used as in the future encoded calculating, we guarantee if , then allly all will normally to carry out, and if , then while continuation further being compared, result will be chaos, and it functionally will lose efficacy.In addition, because function, if so , then we can affirm .

Variable correlative coding

In some embodiments being incorporated with the operation utilizing one or more variable, variable correlative coding may be used for the operation of further fuzzy correlation code, and wherein said one or more variable does not need to have particular value between their operating periods in operation.A kind of mode done like this uses the value that other operate or correlative code section uses or generates by neighbouring.Therefore, such value can be repeatedly used different objects in code area, and this can make any information being used alone or extracting about specific operation of the more difficult differentiation of assailant, and described specific operation performs about those values.Such as, if value x is encoded as , then a large amount of leeway can be there is in the particular value for constant a and b.In this example, available in the life of x, keep constant value if existed in run time version, then they can be used as in constant a and/or b one or more.

In addition, for the operation of single definition, different values can use during each executable operations, make used particular value can at every turn executable operations time change.This can serve as the extra barrier to potential attacker, and described potential attacker may not follow the tracks of the value performing another perform from, as what it is expected to for the code that is clear, encryption or that obscure of other types.Continue example above, the first operation can rreturn value a and b, and the second operation can rreturn value c and d, each value stores in memory within a period of time.Variable x can be encoded to by the time durations being stored in storer at a and b , and variable x can be encoded at the time durations that c and d stores in memory .Therefore, suitable variable by available via storer, to allow to decode to x or to carry out other manipulation x with suitable coding.These values can be rewritten or abandon after the described time, only need the time durations used by the operation in executive routine at x to be available because encode to constant.

Similarly, except provided Limited-Coding example or as an alternative, the variate-value generated code the term of execution may be used for other objects.Such as, variate-value may be used for from list or index selection random entry as generate for pseudo random number son seed, as addition, multiplication or other scale factors, etc.More generally, be contemplated in the available longer duration at the variate-value than generation, the variate-value that a part for run time version generates can need in any position of constant value with another part place wherein at run time version.

Exemplary advantages

Inventive embodiment described herein may be used for providing following, wherein " time enough section " can based on safety lifecycle management needs select, or otherwise the needs managed by safety lifecycle determine:

1) black box security: the adaptive known-plaintext in enough time section is depended in the security as the black box password of the encrypting key of opposing attack;

2) secure border: in enough time section in a coded form by information to/from around code security import into and spread out of;

3) key is hidden: prevent key-extraction from realizing in enough time section;

4) the most weak path is protected: even if also protect cryptographically in enough time section on the most weak data routing;

5) anti-subregion: will realize subregion in enough time section is its tectonic block;

6) application locking: can not extract from its protection application in enough time section and realize; And

7) node locking: can not extract from its host platform in enough time section and realize.

Usually, embodiment disclosed herein relates to various technology disclosed in use and system to carry out basis function coding.Specific embodiment in this article (such as in annex) also can be called as " transparent box " (ClearBox) realization.

Various technology disclosed herein can be used in essence with those similar operations of using in the application by disclosed technical protection, as previously described.Namely; such as basis function, fraction, dynamic data recognition coding, resist technology that is cross-linked and variable correlative coding can use those the similar operations used with original application code, potential attacker may be difficult to or can not distinguish between original application code and safeguard measure disclosed herein.As particular example, relatively, can use identical with the operation that original application code performs or calculate similar operation and construct, described basis function and original application code integrate the Distinctive functions adopted with example encryption technology as is known.The operation being difficult to maybe can not to distinguish like this and technology can be described as " similar in calculating " herein.

Method always is envisioned for the self-compatibility sequence of steps causing the result expected.These steps need the physical manipulation to physical quantity.Usually, although be not certain, this tittle takes the form of the electrical or magnetic signal that can be stored, transmit, combine, compare and otherwise handle.Sometimes main for general reason, these signals are called bit, value, parameter, project, element, object, symbol, character, item, numeral etc. are easily.However, it is noted that all these and similar terms should be associated with suitable physical quantity, and be only be applied to this tittle facilitate label.Give the description of this invention for purposes of illustration, but this description is not intended to be limit or to be limited to the disclosed embodiments.Many amendments and modification will be clearly for those of ordinary skill in the art.Select these embodiments to explain principle of the present invention and practical application thereof, and enable other those of ordinary skill of this area understand the present invention, to realize that there are the various embodiments that possibility is suitable for the various amendments that other expections use.

Embodiment disclosed herein can realize and unify together with framework with various department of computer science using in various department of computer science unifies framework.Figure 32 is the example computer system 3200 being suitable for realizing embodiment disclosed herein.Computing machine 3200 can comprise communication bus 3201, the critical piece of its interconnection system, such as central processing unit 3210; Fixed storage 3240, such as hard drives, flash memory, SAN equipment etc.; Storer 3220; Input/output module 3230, such as via the display screen that display adapter connects, and/or one or more controller and the user input device be associated, such as keyboard, mouse etc.; And network interface 3250, such as the Internet or similar interface, for allowing the communication with other computer systems one or more.

As the skilled person will readily understand, bus 3201 allows the data communication between central processing unit 3210 and miscellaneous part.Visit on the computer-readable medium that application together with residing in computing machine 3200 generally can be stored in such as reservoir 3240 or other Local or Remote memory devices or via this computer-readable medium.Usually, shown each module can with computer integrated, or can be separated and visited by other interfaces.Such as, storer 3240 can be the local reservoir of such as hard drives, or the remote storage device of the memory device of such as network attachment.

Other equipment many or parts can connect in a similar manner.On the contrary, for practical embodiments disclosed herein, all parts illustrated do not need all to exist.These parts can to interconnect from the different mode illustrated.All those operations of computing machine as directed be easily know in this area and do not discuss in detail in this application.Code for realizing embodiment of the present disclosure can store in a computer-readable storage medium, one or more in such as storer 3220, reservoir 3240 or their combination.

More generally, various embodiment disclosed herein can comprise computer implemented process form and for implement those process devices or embody with described form and device.Embodiment can also embody in the form of a computer program product, described computer program has the computer program code of the instruction in the present non-transient state of occlusion body and/or tangible medium, described medium is floppy disk, CD-ROM, hard drives, USB(USB (universal serial bus) such as) driver, or any other machinable medium.When such computer program code is loaded in computing machine or when being performed by computing machine, computing machine can become the device for implementing embodiment disclosed herein.Such as, embodiment can also embody with the form of computer program code, and no matter be stored in storage medium, be loaded in computing machine and/or performed by computing machine or be transmitted by some transmission mediums, such as by electrical wiring or cable, transmit by optical fiber or via electromagnetic radiation, wherein when computer program code is loaded in computing machine and performed by computing machine, computing machine becomes the device for implementing embodiment disclosed herein.When realizing on aageneral-purposeaprocessor, computer program code can configuration processor to create dedicated logic circuit.In some configurations, the computer-readable instruction collection be stored on computer-readable recording medium can be realized by general processor, and general processor or the device transform comprising general processor can be become to be configured to the specialized equipment realizing or perform these instructions by described computer-readable instruction collection.Embodiment can use hardware to realize, and described hardware can comprise processor, such as embodies all or part of general purpose microprocessor and/or the special IC (ASIC) of the technology of the embodiment according to disclosed theme with hardware and/or estimation.

In certain embodiments, various Characteristic and function disclosed herein can by computer system and/or computer system perform software in one or more modules realize.Such as, can comprise according to the computer system of embodiments more disclosed herein and be configured to carry out following one or more modules: receive active computer executable code, revise code as disclosed herein, and the code after output modifications.Each module can comprise one or more submodule, and the module being such as wherein configured to revise active computer readable code comprises for generating basis function, basis function and code being carried out fusion and exports one or more modules of the code after fusion.Similarly, other modules may be used for realizing other functions disclosed herein.Each module can be configured to perform individual feature, or a module can perform multiple function.Similarly, each function can be realized by one or more modules that are independent or cooperative operation.

Describe one or more currently preferred embodiments by example.To those skilled in the art it will be clear that, multiple variants and modifications can be made and not depart from scope of the present invention as defined in the claims.

1. introduce

This document solves following problem: create and programmaticly realize the right of F, G, respectively for bijective function right, make:

(1) the given white box access to F and value y, " being difficult to " finds x to make ;

(2) the given white box access to G and value x, " being difficult to " finds y to make ;

(3) the given access of the white box to F, " being difficult to " find for realize Q; And

(4) the given access of the white box to G, " being difficult to " find for realize P.

We notice, information K is enough to easily determine can be considered as the key for symmetric cryptography, wherein F and G carrys out encryption and decryption according to key K.

We do not specify us about " being difficult to " to be and meaning.Bottom line, we wish compared with any one in solve the problem (1)-(4), and selecting K and generating F, G needs significantly less effort.

Annex

Mark implication

B bit set={ 0,1}

N natural number set={ 1,2,3 ...

N ₀limited prime number set={ 0,1,2 ...

The set of Z integer=... ,-1,0,1 ...

x makes y

x is set to y

xiff yand if if only y, x

[A] if assert that A is true, then 1; Otherwise 0

x|| ythe splicing of tuple or vector x and y

the logical OR of x and y press bit with

the logical OR of x and y comprises by bit

it is exclusive that the logical OR of x and y presses bit

or it is non-that the logical OR of x presses bit

the inverse of x

make smallest positive integral k

make maximum integer k

at MF funder the picture of S set

to x application MF fproduce and only produce y

to x application MF fy can be produced

to x application MF fy can not be produced

to x application MF fresult be not defined

the transposition of matrix M

| the prime number of S| S set

| the length of V| tuple or vector V

| the absolute value of n| number n

there is element k tuple or k-vector

k-polymerization

k-cohesion

set

{ x| cmake the set of the x of C

make the set of the member x of the S set of C

hamming distance (quantity of the element position of=change) from x to y

set cartesian product

mF compound

x is the member of S set

s set is included in set T or equals to gather T

s set is really included in set T

and

GF (n) has the Galois Field (=Galois field) of n element

The finite ring of Z/ (k) integer mould k

Id _sidentity function in S set

Rand (n) on uniform random variable

Extract [ a,b] ( x) Bit String x position a to b in bit field

Extract [ a, b] ( v) (extract [ a, b] ( v ₁ ) ..., extract [ a, b] ( v _k )), wherein v=( v ₁ ..., v _k )

Interleave ( u, v) ( u ₁ || v ₁ ..., u _k || v _k ), wherein u=( u ₁ ..., u _k ) and v=( v ₁ ..., v _k )

Table 1 mark

Abbreviation launches

AES Advanced Encryption Standard

Agg is polymerized

API application programming interfaces

BA boolean arithmetic

BB matrix

CFC controlling stream graph

DES data encryption standards

DG digraph

Dll dynamic link library

GF Galois Field (=Galois field)

IA intervenes polymerization

If if iff and only

MBA mixes boolean's arithmetic

MDS ultimate range can be divided

MF polygamma function

OE exports expansion

PE component assesses

PLPB pointwise linear sub-area dijection

RSA Rivest-Shamir-Adleman

RNS residue number system

RPE reserved portion is assessed

TR against tampering

SB replaces box

SBE is based on the entity of software

So shared object

VHDI very high speed IC hardware description

Table 2 is abridged.

2. term and mark

We write " " represent " making ", and we write " iff " to represent " if and if only ".Table 1 outlines the many marks adopted herein, and table 2 outlines the many abbreviations adopted herein.

2.1 set, tuple, relation and function.For S set, we write | and S| is to represent the prime number (that is, the quantity of the member in S set) of S.We also use | and n| is to represent the absolute value of number n.

We write represent that its member is set.(therefore, if equal difference, then .) we also write carry out all bar destination aggregation (mda)s that condition C is kept of representation x, wherein C is the condition depending on x under normal circumstances.

2.1.1 cartesian product, tuple and vector.When A and B is set, AxB is the cartesian product of A and B; That is, all set to (a, b) like this, wherein (that is, a is the member of A) and (that is, b is the member of B).Therefore, we have .Generally speaking, for set , member to be form be k tuple, wherein for , .If be tuple, then we write represent the length of t (in this case, ; That is, tuple has k element position).For any x, we think x and (x)---length be 1 its unique element be the tuple of x---identical.If all elements of tuple belongs to identity set, then we are called the vector in this set.

If u and v is two tuples, then u||v is their splicing: the tuple also then comprising the element of v by creating the element comprising u in order in order obtains | the tuple of u|+|v| length: such as .

We think that bracket is significant in cartesian product: for set A, B, C, member look like , and member look like , wherein and .Similarly, member look like , wherein and .

2.2.1 relation, polygamma function (MF) and function.(wherein we must have in k set ) cartesian product on k unit relation be any set .Usually, we will be interested in binary relation; That is, for the relation of (not necessarily different) two set A, B .For such binary relation, we write indicate .Such as, when R is the set of real number, real number on binary relation make x be less than all real numbers of y to the set of (x, y), and when we write time, be meant to .

Mark instruction , namely R is the binary relation on AxB.This mark is similar to the mark for function below.It is intended that instruction binary relation and is interpreted as polygamma function (MF), and the relation of calculating is abstract, and---not necessarily deterministic---its get from set A inputs and return the output set B.When function, this calculating must be deterministic, and when MF, this calculating needs not be deterministic, and therefore it is better mathematical model for many softwares that wherein external event may affect the execution progress in given process.A is the territory of MF R, and B is the codomain of MF R.For any set , we define . the picture of X under R.For and , we write mean , we write mean , we write mean , and we write (read " R (a) is undefined " to mean not exist .

For binary relation , we define .R ^-1it is the inverse of R.

For binary relation with , we pass through define . it is the compound of S and R.The compound of binary relation is associating; That is, for binary relation .Therefore, for binary relation , we can freely write and there is no bracket because this expression we they are placed on where all there is identical meaning.Note , wherein first we get X at R- ₁under picture, and then get this picture at R ₂under picture, by that analogy until penultimate picture is at R _kunder picture, this is the R on the left side in compound _i-with the reason that the reverse order of capture operation is write, as R _iin capture is expressed, the right like that.

For have when, it is binary relation , and . be polymerization.

For have when, it is binary relation

And . be cohesion.

We write indicate the function from A to B, that is, , for any and if, , then .For any S set, for all have function.

2.1.3 digraph, controlling stream graph and dominator (dominator).Digraph (DG) is ordered pair , wherein gather N and be node set and binary relation arc relation or frontier juncture system. arc or the limit of G.

In path be sequence node , wherein for , , and for , . the length in path.The shortest possible path has the form that length is zero .Path acyclic, if and if only do not have node to occur twice wherein; And only if there is no make that is, if 's index i, j.For S set, we define , wherein S occurs r time and (making for r-1 time appears in X ), and we define ---for the unlimited union of likely all cartesian products of the S of length.Then, each path in G is N ⁺element.

At digraph in, if there is the path of terminating from x and at y in G, then node from node can reach.(therefore, each node oneself can reach from it.) arrival be | y can reach from x }.And if if only one of less than two conditions recursively keep, then two nodes x, y are connected in G:

(1) path that wherein both x and y that there is G occur, or

(2) there is node in G , x with z is connected and y with z is connected.

If (x=y, then singleton (that is, length is 1) path (x) is the path from x to y, so each node of G be connected to its oneself.If) and if each node pair of only G it is all connected, it is connected graph.

For each node , to start at x place in A and the quantity of the arc terminated at certain other node is the out-degree of node x, and for each node , to start and the quantity of arc terminated at y place is the in-degree of node y at certain Nodes in A.Node degree be in-degree and the out-degree sum of n.

In source node to be its in-degree be zero node, and in destination node to be its out-degree be zero node.

Controlling stream graph (CFG), if and if only it has special source node , from each node of this special source node can reach.

Order that there is source node n ₀cFG.And if if only each from n ₀start and comprise x with the path that y terminates, node dominate node .(note, according to this definition and annotation above, each node arranges its oneself.If) and if only comprise the element of X with each path of terminating from start node and with the element of Y, the set of the node Y in the set domination CFG of nodes X.

As above with when, if and if only from start and comprise the element of X in each path that the element of Y terminates, non-NULL node set domination non-NULL node set .(note, the situation that individual node arranges another individual node is the special circumstances of this definition, wherein | and X|=|Y|=1.）

2.2 Algebraic Structure.Z represents the set of all integers, and N represents all set being greater than the integer (natural number) of zero. represent the ring of integer mould m, for certain integer, .As long as m is prime number, , the Galois Field of integer mould m.B represents the set of bit, and it can use ring two units usually identify.

2.2.1 identical relation.Identical relation (that is, equation) plays the part of pivotal player in obscuring: if for two expression formula X, Y, we know X=Y, then we can carry out the value of alternative X by the value of Y, and we can carry out the calculating of alternative X with the calculating of Y, and vice versa.

Being found out by the following fact for obscuring the easy of key based on substituting of algebraic identity like this: their use is found in each in change extension.

Sometimes we wish to make Boolean expression identical (equal), and these Boolean expressions oneself can comprise equation.Such as, in typical computerized algorithm, (using signed comparison).Therefore, " iff " equals condition, and the expression formula therefore comprising " iff " is also identical relation---particularly, and condition identical relation or boolean identity.

2.2.2 matrix.We are represented by following (r capable, c row) matrix M:

Wherein, its transposition passes through M ^trepresent, wherein

Make, such as

。

2.2.3 with the relation of computerized algorithm.? on (all length is the set of the bit vectors of n), define addition (+) and multiplication as usual define the computing machine (see [25]) for the complement code fixed-point arithmetic with 2.Then, rank 2 ⁿlimited 2 complement code ring.Mould integer item with be isomorphism, it is the basis of the normatron fixed point calculation (addition, subtraction, multiplication, division and remainder) on the computing machine with n-bit word length.

(conveniently, we can be write by xy (x is multiplied by y); That is, we can by representing multiplication side by side, and this is the public agreement in algebraically.）

In view of this isomorphism, we use this two rings interchangeably, although we can be by be considered as comprising scope from arrive signed number in (inclusive).We can be ignored element whether occupy more than tape symbol scope or value from 0 to the reason of the problem of the scope of (inclusive) is arithmetical operation with to B ⁿin bit vectors on impact be identical, no matter number is interpreted as the complement code signed number of 2 or is interpreted as scale-of-two value unsigned number by us.

Whether we are interpreted as signed problem only for inequality computing by number there will be, this means that we should predetermine concrete number and will how to be processed: inconsistent explanation will produce abnormal results, as C or C++ compiler incorrect use tape symbol with will to produce abnormality code without symbol comparison order the same.

2.2.4 press bit computer instruction and .? on (all length is the set of the bit vectors of n), the computing machine with n-bit word typically provide by bit with ( ), containing or and it is non- .So it is Boolean algebra.? in, wherein vector length is one, and 0 is false and 1 is true.

For any two vectors , we pass through definition u and v presses bit XOR .Conveniently, we typically use represent .Such as, this identical relation can also be expressed as by we .

Because the vector multiplication in Boolean algebra---by bit with ---be combine, so it is ring (being called Boolean ring).

2.2.5 T function and non-T function.The function of the m vector of w bit words is mapped in a case where from the k vector of w bit words t function: if for often pair of vector (wherein and , and wherein in w bit words bit from 0 to w-1 numbering), then bit of the lowest number in the different unit word of its place y with y' is low unlike the bit of the lowest number in the unit word that its place x with x' is different.Typically, we to think in word this is numbered from low order to high-order bit, thinks that word table shows scale-of-two value, so this can be claimed as by again: export bit and only can depend on input bit that is identical or more low order.

B ^wupper calculating can be from together with on the function---thus all arithmetic operations in w bit words---of composition is T function.The fuzzy structure with T function property is subject to bit section and attacks, because we can obtain another legal T function by the higher order bits from all words being fallen in input and output vector from any T function.

T function property be unsuitable for the power not being 2 dextroposition, rotate by bit, division arithmetic or the remainder/modular arithmetic based on divisor/modulus, be also unsuitable for the function that wherein conditional branching makes a decision, wherein higher-order condition bit affect the value of lower-order output bit.

Conditional branching and condition are based on the comparison performed, notes: based on use six kinds of standard comparing the condition of the condition formed performs all easily can violate T function condition, and in fact, in the normal code using branching logic based on the comparison, relative to obedience T function, violates T function and be more prone to.

2.2.6 polynomial expression.Polynomial expression is form (wherein for any x, ).If , then d is polynomial number of times.Polynomial expression can be added, subtracts each other, is multiplied and is divided by, and the result of such computing itself is polynomial expression.If d=0, then polynomial expression is constant; That is, it is simply by scalar constant a- ₀form.If d>0, then polynomial expression is non-constant.We can have the polynomial expression on limited and unlimited ring and territory.

If non-constant polynomial expression can not be written as the polynomial product of two or more non-constants, then this non-constant polynomial expression is irreducible.Irreducible polynomial is similar to prime number for integer institute role for polynomial expression institute role.

Variable x does not have Special Significance: about specific polynomial expression, and it is only placeholder.Certainly, x can be replaced by a value to assess polynomial expression by us---and namely, variable x is only only significant when we are replaced by certain content.

We can use its coefficient vector identify polynomial expression.

? on polynomial expression acquire a special sense in cryptography, because coefficient vector is Bit String simply and can be expressed efficiently on computers (polynomial expression such as, up to 7 times can be expressed as 8 bit bytes); Addition and subtraction are identical; And the such polynomial expression sum of Bit String two of representing uses by bit (XOR) calculates.

2.3 coding.We formally introduce coding at this.

Order amount to.Select dijection and dijection .We claim for the version of code of F.D be input coding or field of definition coding and r be output encoder or codomain coding.The dijection of such as d or r is called for short coding.In particular case, F is function.

Then figure shown in Fig. 1 exchanges, and is the calculating [28,29] of the function with encryption simply with the calculating of F '.As shown in fig. 1, only D ', F ' (function of encryption) and R ' are visible for assailant.Not having raw information to be visible (D, F, R) for assailant, not having raw information to be information for performing coding yet.

Order , wherein for , .Then, relation cascade it is relation , i scope exists on, .Significantly, .If be dijection and be therefore coding, then B is also dijection and coding.So B is called concatenated coding, and B _ii-th component of B.

(we can be considered as above special circumstances by following, wherein m _iand n- _i-all there is value 1.) for , order .Then, relation polymerization it is relation wherein i scope exists on, .Significantly, .If be dijection and be therefore coding, then B is also dijection and coding.So B is called polymerization coding, and B _ii-th component of B.

For , order .Then relation cohesion it is relation , .

2.3.1 network code calculates.Usually, the output of conversion will become the input of another subsequent conversion, this means that the output encoder of first must mate the input coding mating second as follows.

For calculating networking coding (that is, convert X be transformed Y follow) be form coding.

In generalized case, we have such coding network, and it is that wherein node function is the data flow network of encoded function.

Coding can obtain from Algebraic Structure (see ).Such as, finite ring coding (FR) is based on such fact: on affine function as long as s is odd number is exactly harmless, wherein w is that word is wide, and it can make modulus be that nature machine integer modulus realizes by ignoring overflow.

We notice from Fig. 1: the key for encoded calculating is input, exports and calculate and all encoded.Such as, consider , the ring mould of integer , wherein w is for the preferred word of some computing machine wide (typically being 8,16,32 or 64, along with past time trend is towards higher width). unit (that is, have multiplicative inverse those) be odd element .

Suppose that we want at word wide for the radix two computer of w is encoded to addition, subtraction and multiplication, uncoded calculating is existed upper execution.We can be used in on affine coding.For uncoded variable with the encoded variable of correspondence , wherein , we want to determine how to calculate

--------------

¹ mark is schemed to be polymerized for function in spirit prize speech to introduce at his ACM by John Backus.I has been applied to general binary relation.

; That is, we need right expression.(on the network of such computing, we will have many different codings , wherein require that the result of computing adopts the coding identical with the corresponding input coding consuming computing.）

And be listed in upper expression ,-the x in the complement code of 2 is in-x, and the xy in the complement code of 2 is in xy.Therefore, if be v coding and for it is inverse, then and ( on another is affine).So

It has general type , there is constant ; Raw data and code coefficient disappear.If y is plus or minus constant k, then we can select (that is, and ), its above formula is about kept to

It is for constant c ₁, c ₂there is general type .Alternately, we can calculate for , wherein we define and , we can be calculated when not calculating completely .In order to make when not calculating , we define simply with and arrange .Similarly, for subtraction:

It has general type again , there is constant c ₁, c ₂, c ₃; Raw data and code coefficient disappear.If be constant c, then we as above continue for addition, arrange k=-c.In order to subtract each other , we can by ignoring when not calculating and calculate it when not calculating, and then add k as described above.For multiplication:

It is for constant c ₁, c ₂, c ₃, c ₄there is general type .Finally, if x is constant k, then we can select e _xnamely, we can select s to=id( _x=1 and b _x=0), in this case, be about kept to comultiplication equation:

It is for constant c ₁, c ₂there is general type .Alternately, if k exists in be reversible, then we can by definition with will be calculated as , it has the canonical affine form for FR coding, and allows us to get for but, be utilize coding but not its oneself coding , thus we can calculate when not calculating completely .

Also the polynomial expression of higher-order can be used: generally speaking [27], for , on, permutation polynomial (that is, dijection or harmless polynomial expression) iff

(1) for , be (mould ),

(2) odd number,

(3) even number, and

(4) it is even number;

Characteristic is owing to Rivest.(only on the set of dijection can be written as on such permutation polynomial.) number of times is higher, in polynomial selection, comprise more entropys, but the corresponding increase of Time & Space Complexity.

Permutation polynomial exists on many rings and territory.This characteristic is extended to the content that he is called vague generalization permutation polynomial by Klimov [17], its be similar to above-described those, below: anyly to provide can be on+or-(mould ) or press bit XOR , and computing can be applied with any permanent order.

Although we can write the polynomial expression of arbitrary number of times, on each polynomial expression be equal to the polynomial expression of very limited number of times.In fact, it is known that for , on each permutation polynomial P there is number of times ? on substitute equivalents polynomial expression Q.

Difficulty whether (no matter vague generalization) about permutation polynomial is that they only conveniently just become really useful when calculating at the inverse known of them.Known most of permutation polynomial have high order inverse of a number (for on permutation polynomial close ).But, use (non-general) above characteristic of Rivest, if for , , then inverse number of times is identical with requiring inverse polynomial number of times.Inverse equation for permutation polynomial following (for stricter process see C joint):

2.3.2 quadratic polynomial and inverse.If , wherein and b is odd number, then P is reversible, and , wherein constant coefficient is defined by following:

and

。

2.3.3 cubic polynomial and inverse.If , wherein and c is odd number, then P is reversible, and , wherein constant coefficient is defined by following:

and

。

2.3.4 quartic polynomial and inverse.If , wherein and d is odd number, then P be reversible and , wherein constant coefficient is defined by following:

and

。

2.3.5 about on the points for attention of permutation polynomial.Make p be prime number and n.? on attribute permutation polynomial investigated [19] in the paper of 1984 of Mullen and Stevens, it instructs as follows to us.

(1) exist be on the quantity of PPs when, for arbitrarily , m>0, wherein , be different prime number and , Wo Menyou .

(2) exist on the quantity of functionally different PPs be , wherein , it is maximum integer , and .Note, it is integer but , and we have (mould p).

(3) each polynomial function can express with the form of falling factorial

Wherein , . it is falling factorial.

2.3.6 about on the points for attention of permutation polynomial.For the computing machine with w bit words, on PPs be special easily because addition, multiplication and subtraction mould can perform in the following manner: ignore overflow, underflow and the difference between value and the complement code calculating of 2 simply, and get common uncorrected hardware result for such machine.In addition, this is also with C, C++ or Java ^tMto the default behavior of the calculating of the operand of integer, tape symbol integer or unsigned int in the program of writing.

Adjust from above result [19], on the quantity of functionally different PPs be: , wherein , it is maximum integer , and .Note, it is integer but , and we have (mould 2).

2.3.7 about the general attention item of coding. represent the encoded realization obtained from function P.In order to emphasize that m vector is mapped to n vector by P, we write .So P is called function or conversion.For matrix M, instruction M have m row and n capable.(these marks are naturally corresponding, and M is taken as function application to the application of example.）。

(memonic symbol: entropy transport function) is the arbitrary function from the m vector on B to the n vector on B, for , the bit of its not drop-out, and for , it loses at most m-n bit.Function damage, it is not example.In given equation or equation repeatedly appearance represent identical vector.

(memonic symbol: entropy vector) be from any vector selected. repeatedly appearance in given equation or equation represents identical vector.

Affine function or affined transformation (AT) are for all vectors pass through for all S set definition vector to phasor function V(concisely: ), wherein M is constant matrices, and d is constant offset vector.If A and B is AT, then wherein define with also be. linear function or linear transformation (LT) .

For some prime powers ? on from k vector to the function of m vector that the degree of depth is nonlinear, linear function and coding .

(note, if , wherein affine, then undoubtedly linearly , because we can select perform the addition of pressing element of vector shift.）

If for prime power , be not that the degree of depth is nonlinear, we say until coding is linear.

We demonstrated about until the linearity of coding and the following content of identical relation.

(1) if function until coding is linear, then its projections all are also.

(2) two matrixes until coding is identical, and iff mono-can convert another to by the multiplication of a series of row or column and non-zero scalar.

(3) if two functions until coding be linear and until coding is identical, then they are matrixes coding, described matrix until coding is also identical.

(4) if two matrixes until coding is identical, then their corresponding submatrix is also.

(5) if M exists on be non-zero matrix, then exist on exist matrix M ' make M, M' until coding is identical, wherein M'(M canonical form) there is the leading row and column only comprising 0 and 1.

2.3.8 * fraction and Fraction Functions.As middle mentioned, generally speaking, when producing encoded output, it consumes together with the accurately identical coding of hypothesis, makes encoded computing become , wherein , be coding and .

Sometimes the value with a coding is advantageously exported and input hypothesis some other coding subsequently.If we will output is and post consumption its hypothesis coding , then in fact, we will be applied to uncoded value.We claim the coding of generated value wherein and such deliberate mismatch between the coding supposed when it is consumed is called fraction.If coding is linear, then Fraction Functions also, and if they are permutation polynomials, then Fraction Functions also be.

Fraction is potentially useful in obscuring, because the calculating that they effectively perform does not occur in code,---amount of the code performing normal cluster coding and the code increasing computing by means of fraction and form---is identical, and there is not obvious mode to eliminate the ambiguity of these situations, because trend towards being ambiguity a little to they self coding.

Note, the attribute of definition fraction is said Fraction Functions .Generally speaking, there are the many different choice to consuming coding v and generation coding u, this accurately produces identical Fraction Functions: probably such as have make for it is identical Fraction Functions.Therefore, Fraction Functions is specified clearly not imply its generation and consume coding.

2.4 component assesses (PE).The component assesses (PE) of MF is by the MF freezing some other MF(or generate like this) the generation of MF of some inputs.More formally, make mF.For constant right component assesses it is the derivative of this MF , make for any with , .In order to indicate this PE relation, we can also write .We can also by MF couple the g of PE differentiate be called component assesses (PE).That is, term assessment may be used for referring to differentiate process or its result.

In order to provide particular example, we consider situation about compiling.

When not having PE, for computer program p, we can have , wherein S is the set of all source code file, and E is the set of object code file.So, to the application of computer program p to source code file s be represented, produce object code file e.(we get p is function, and is not only polygamma function, because we wish that compiler is deterministic usually.）

Present hypothesis we there is very general compiler q, its input source program s and a pair semantic description: the description of the semanteme of the executable code on expectation target platform t and source language semantic description d.Source program to be compiled into the executable code for expectation target platform according to source language semantic description by it.So we have , wherein S is the set of source code file, and D is the set of source semantic description, and T is the set of platform executable code semantic description, and E is the combination of the object code file for any platform.So, for constant tuple (that is, by particular source language semantic describe and specific objective platform semantic description form to), specific compiler is the PE p of q, namely for some specific constant , .In this case, the input set that X(PE retains) be the set of S(source code file), the input set that Y(PE removes by selecting its special member) be (cartesian product of the set D of source semantic description and the set T of target platform semantic description), and Z(output set) be the set of E(object code file).

PE uses in [10,11]: AES-128 password [16] and DES password [18] are that component assesses for key is so that the secrete key person of being immune against attacks affects.The more detailed description of basic skills and system is provided in [21,22].

When Optimizing Compiler by determination operation number operationally by be wherein constant and then with the computing that computing particularly replaces them with constant come with calculating particularly substitute generally calculate time, Optimizing Compiler performs PE, and described computing particularly no longer needs to input (effectively constant) operand.

2.5 export extension (OE).Suppose that we have function .Function be output extension (OE), for each , we are for some have .That is, provide to us any content provided, and provide the additional process beyond output information.

We also use term to export extension (OE) and refer to given such function find such function process.

At function when being embodied as routine or other program segments, generally directly determine to realize as function the function of OE routine or program segment because find such function problem by very loose constraint.

2.6 reverse component assesses (RPE).In order to create general, low expense, effectively interlock so that protection is tied to SBE, we will adopt the novel method based on reverse component assesses (RPE).

Significantly, for almost any MF or program , there is great program or MF set (set ) and constant , for described set, for arbitrarily any , we have all the time .

We claim to find such tuple process (or we found by this process tuple) be reverse component assesses (RPE).

Note, PE trends towards being specific and deterministic, and RPE provides indefinite and to substitute in a large number: for given , any amount of different tuple can be there is , each the qualified conduct in these tuples rPE.

Find the effective procedure as the more generally PE of program may be very difficult---namely, this program is by very tight constraint.Effective RPE of given specific program is found to be very simple under normal circumstances, because we have so many legal selection---namely, this problem is by very loose constraint.

Controlling stream graph (CFG) in 2.7 code compilations.In compiler, we typically via controlling stream graph (CFG: see in definition) represent possible control flow check by program, wherein the fundamental block (BB) (having single starting point, single end point and " straight line " code sequence performed successively from its starting point to end point) of executable code is represented by node of graph, and arc is connected to node corresponding to BB V by corresponding to the node of BB U, if comprise program the term of execution control clock or the initial of BB V can be flowed to from the end of BB U possibly.This can occur in many ways:

(1) control flow check can naturally from BB U guiding BB V.

Such as, in following C code segment, control flow check is naturally from U guiding V:

(2) control flow check can be directed to V by controlling structure in process from U, controls to construct such as while circulation, if statement or goto statement in described process.

Such as, in following C code segment, control to be directed to Z by break statement from A:

(3) control flow check can be directed to V by calling or returning from U.

Such as, in following C code segment, control by calling f () in g () body and be directed to A from B, and by from calling to return and be directed to C from A to f ():

(4) control flow check can be directed to V by abnormal control flow event from U.

Such as, in following C++ code segment, control the fault by pointing to the said dynamic_cast quoted quoted to the object in class A and V may be directed to from U:

For CFG in each node get node n to represent particular B B, and this BB calculates the MF determined by node, described BB n comprises: certain function---for the C controlled, for the T transmitted--- , wherein X represents that the set of all probable values being read by the code of n and use is (and therefore to function input), and Y represents that the set of all probable values write out by the code of n is (and therefore from function output).Typically, function, but if utilize the input of uncertainty, the current reading of such as high resolving power hardware clock, then be MF and non-functional.In addition, some computer hardwares comprise the instruction that can produce non deterministic result, and this can cause again be MF and non-functional.

For having CFG with start node n ₀whole program, we identify N with the set of the BB of program, we with appear at program starting point BB(typically, the initial BB for C or C++ journey program routine main ()) identify n ₀, and we are with controlling to identify T from a BB of program to another each feasible transmission.

Sometimes, replace the CFG being used for whole program, we can have the CFG for single routine.In this case, we identify N with the BB of routine, and we identify n with the BB of the section start appearing at routine ₀, and we are with controlling to identify T from a BB of routine to another each feasible transmission.

2.8 by replacing the * carried out alternately.Here how our consideration only uses random switch the displacement that unit usually produces n element, it calculates (without exchange) or (exchange), has respectively probability.

2.8.1 replaced exchanging the * carried out by blind.Sorting network can be represented by series of parallel line 72 like that as shown in Figure 7, wherein, at some some place, in the right angle with these lines, and if line represents comparison-larger-then swap operation of the data to the element that the line connected as two carries by cross connection 74() be connected to another line.If why no matter inputted, export the order after sorting and occur, then the network produced is sorting network.Comparison in sorting network is that data have nothing to do: the right-hand member that correct ranking results is online, and the data of the not left end place introducing of pipeline.And if relatively-larger-then swap operation can be rearranged sequence, as long as the relative ranks sharing the comparison of end points is kept.

The effective means constructing such sorting network for n node is provided by the odd even sequencing by merging [2] of Batcher, it is the sequence that data have nothing to do: specifically, and if identical comparison-is more large-then swap operation be performed, and data that no matter will sort.When sorting to the set of n element, this algorithm performs relatively.The details of algorithm can find at these URL [3] place.

If such network will become orderly arbitrary data sorting, then it will be followed: and if if compare-larger-, swap operation is had the swap operation of probability substitutes, then identical network configuration becomes random sequence by the sequence substitutions of n distinct elements, may be biased order.This is that we use the true/false variable of pseudorandom to realize the basis of the mechanism of replacing by being used for, and the true/false variable of described pseudorandom uses to calculate and creates.

Note, the quantity of the displacement of n element be n! , and use location in a bit indicate carry out or do not carry out the i-th exchange exchange configuration quantity be , wherein the quantity in the stage in the Batcher network to n element sequence.

Such as, for n=3, n unequal to 6, b (n)=3, and , so certainly exist the displacement more can selected than a kind of mode, but some in them can not.Similarly, for and , so certainly exist the displacement more can selected than a kind of mode, but the quantity selecting the exchange of given displacement to configure can not be identical all the time, because .

We guarantee that the quantity of the mode reaching any displacement is roughly the same for each displacement to reduce offset requirements.Because for the power that any n is two, so this can not come simply by interpolation additional stage.In some cases, be necessary to use for reducing the additive method be biased.

2.8.2 replaced exchanging the * carried out by controlled.? the method of middle description suffer significant biased (this biased can easily more than two to one).Problem is: the quantity exchange/not exchanging decision is at random the power of 2 all the time, and the quantity of displacement is factorial all the time, and for the element count of more than 2, the quantity of displacement will never eliminate the quantity of exchange/do not exchange queue, the quantity of this exchange/do not exchange queue formed between 0 with between number (inclusive), it can be considered as the string of k bit: often exchange/do not exchange and determine a bit.

We can dispose and obtain result (comparing two pseudo random numbers) from the decision element of identical type to there are two kinds of different mechanism.We are from direct select permeability: in order to generate displacement, we select one of n element for given position, and then select one of n-1 element for another position, so analogize, until we are forced to select remaining element for remaining position.

Remove biased first method and can be called decay.Such as, suppose that we need one of selection 12 elements.We can create the binary decision tree with 16 leaf nodes, and are mapped to by these leaf nodes on 12 elements, wherein 8 can to reach via a leaf and 4 can be reached respectively by two leaf nodes.(16 leaf nodes reel 12 and select, until all leaf nodes are used by simply; That is, we by repeat from 1 to 12 element number until we have for the element number of each 16 leaf nodes, create the sequence of 16 elements: .) at this some place, in our selection, we have the biased of maximum 2:1.If we use have the tree of 32 leaf nodes, then we will have 4 elements and 8 elements that can reach from 3 leaf nodes that can reach from two leaf nodes, and our maximum bias is reduced to 3:2.If we use have the tree of 64 leaf nodes, then we will have 8 elements and 4 elements that can reach from 6 leaf nodes that can reach from 5 leaf nodes, and our maximum bias is reduced to 5:4.Decay produces quick but huge code.

Remove biased second method and can be called gravity treatment.As above, suppose that we need one of selection 12 elements.We can create the binary decision tree with 16 leaf nodes, and 12 leaf nodes are mapped to 12 selections.Other four Choose for user are also again to perform whole selection to Posterior circle.With probability, we are success when first time attempts.With probability, we in front twice trial success.With probability, we are success in first three time is attempted.Gravity treatment has the following advantages: it can almost eliminate biased completely.It has the following advantages: while spatially compacting, and it relates to some steps of reforming.In addition, because hope is limited the quantity of iteration by us, so it relates to repeat count and gives tacit consent to into the biased selection of (slightly) in these rare situations of counting and being exceeded wherein.Gravity treatment is that more compact, slower, and with decling phase than eliminating be biased more.

Remove the third biased method can be called and reshuffle.As above, suppose that we need one of selection 12 elements.We notice: use 16 leaf nodes, and we have the biased of 2:1, and wherein 8 nodes, 1 road can reach, and 4 nodes, 2 roads can reach.Suppose that we set up three roads to identify the mapping of leaf node to element.For each in 12 elements, it to appear in " 1 road " be arranged in two configurations and is arranging in " two road " in one configuration.We then (use gravity treatment) select three one of to configure, and then the counting thus cause almost ideal not offset selection of choice for use 16 leaf nodes, and we only at 3 elements, 12 elements must apply gravity treatment.With the cost of little excessive data, when eliminating biased required configuration quantity hour, the method provides the best of breed of compactness and speed.(most probable number of configuration is passed through from its quantity of carrying out the element selected by upper control limit, but with the configuration of this quantity, it is insignificant that use is reshuffled, and is just attempting because option and installment is only for we another example reducing its biased problem.）

2.9 dark nonlinearities: index functions interweaves.The AES-128 described in [10] realizes using the method for [21] to set up, and uses in [4] to attack and is permeated.Although this success attack, this attack is very complicated, and a large amount of for needs manpower is applied to the realization of any specific software, and therefore even without amendment, the method for [21] is also useful.By the extremely difficult attack making successfully [4] according to the attack in the realization of [21] to strengthening according to [22].But we seek stronger protection now, and therefore make us ought to find the mode of the method for further guarantee [21,22] to cause those the attack in such as [4] infeasible.

2.9.1 shallow nonlinearity and homomorphic mapping are attacked.Realizing according to wide input linear (in [21] ) and pp. 9-10 on many uses are made in the realization of [21,22] of the partitioning of matrix method described in ([0195] in [21]-[0209] section).Below for very: the method for [21] produces the non-linear encoded realization of such matrix of a linear transformation.But realization is shallow nonlinear.That is, such matrix is converted into the network replacing box (look-up table), and it must have the element of limited quantity due to space constraint.(any 1 to 1 function, and they self can be expressed as replacement box for non-uniform encoding in the value for indexing to such box and on the element value obtained from such box; That is, as look-up table) be restricted to limited range similarly due to space constraint.

Therefore, any data transformation of calculating of the realization of such input and output coding represented through partitioned matrix until coding is linear, and described partitioned matrix represents the network being implemented as and replacing box, or for representing the similar devices of arbitrary random function in essence; That is, by recoding separately to each input vector element and recoding separately to each output vector element, any conversion like this can be converted to linear function.

Attack method in [4] is the example of the attack class based on homomorphic mapping.? on situation in, attack and utilize the known attribute of linear function, because this is the algebraic foundation of the calculating in AES.Particularly, exist in addition use press bit (XOR) performs, and this function defines the Latin square of accurate form known.Therefore, likely search for from encoded look-up table version to the homomorphism of uncoded version, and likely at any function (wherein by bit) when find approximate solution to specific affine A with reasonable efficiency (that is, being similar in the affine maps A of real Q ).These facts are utilized in the attack of [4], and there are other that can utilize the following fact similarly and attack: the partitioned matrix function of [21,22] realize until coding is linear.The attack only generating portion information of even now, but they can by the search constriction for precise information to such point, and in this point, remaining possibility can be investigated by exhaustive search.Such as, the encryption of setting up block using [21,22] to provide or the white box of deciphering realize the attack of the key-extraction attack of the attack that may be subject to such as in [4] or the correlation attack based on homomorphic mapping.

2.9.2 homomorphic mapping is defeated: degree of depth nonlinear function.The solution of attacking homomorphic mapping substitutes such matrix function with the function that it is (1) wide input; That is, the bit number comprising single input is large, make the set of possible input value very big, and (2) degree of depth is nonlinear; That is, may be able to not pass through coding (that is, by inputting independent and export recodification separately separately) is converted into the function of linear function.

Make that input is wide to be made by inverting consume unpractical flood tide storer to the tabulate violence carried out of function in all inputs, and dark nonlinearity prevents homomorphic mapping from attacking, the attack in such as [4].

Such as, we can carry out MixColumns and the InvMixColumns conversion in alternative AES with dark Nonlinear M DS conversion, thus it is impossible to cause the violence of any one in these to be inverted, MixColumns and InvMixColumns in AES converts input and output 32 bit (4 byte) value, and described dark Nonlinear M DS converts input and output 64 bit (8 byte) value.These are claimed to be modified to MixColumns ₆₄and InvMixColumns ₆₄.(because complete and decipher complete take over party the transmit leg that is encrypted in of message, thus these under normal circumstances general no longer identical network node presents, so assailant only have under normal circumstances to they one of access.）

Such as, suppose that we wish upper (wherein n is the polynomial expression for realizing---i.e. Bit String---size) or correspondingly exist upper (wherein n expects element width) constructs so dark non-linear vector to phasor function.Make u+v=n, wherein u and v is positive nonzero integer.Make G=we select (correspondingly ) expression, =we select (correspondingly, ) expression, and =we select (correspondingly, ) expression.

Suppose that we need to realize dark nonlinear function , 3 and ; That is, select at us expression G on p vector to a mapping of q vector.

If we want linear function, then we can use on G matrix constructs linear function, and if but we want non-linear until coding is linear function, then we can use the encoded realization of such partitioning of matrix according to [21,22].But these methods are not enough to obtain the dark linearity.

We notice element be all that (length is respectively Bit String ).Such as, if n=8 and u=v=4, then the element of G is 8 bit bytes, and with element be 4 bit nibbles (nybble).

Below structure is called that index functions interweaves.We introduce computing with , they can easily realize on any modern computer of reality, as created in code building by compiler those by understand.For Bit String , we define , that is, to s(inclusive) return bit r.For the vector of Bit String , we define , namely the s(inclusive of each to old vector element) return the new vector comprising bit r.For two vectors of the Bit String of equal length, namely with , we define ; That is, each element be the cascade of the corresponding element of V and the corresponding element of W.

In order to obtain our dark nonlinear function above-mentioned , we continue as follows according to the process flow diagram of Fig. 8.

80 choice functions , or alternately select on matrix.(may produce the fragility for homomorphic mapping because of unusual square of submatrix, so preferably, maximum square of submatrix of the matrix representation of L is nonsingular.If L is MDS, then square submatrix not having L is unusual, so this is preferably gratifying beyond doubt.）

82 select function , , or alternately, select on matrix.(fragility for homomorphic mapping may be produced because of unusual square of submatrix, so preferably, maximum square of submatrix of matrix representation be nonsingular.If mDS, then without any a square submatrix be unusual, so this is preferably gratifying beyond doubt.）

84 choice functions , for this function, (that is, be chosen as " be mapped to ... on " or the s of " surjection ").

Be mapped to s ... on requirement different, we can Stochastic choice s.But, even if simple structure is also enough to obtain s.Exemplarily, our preferable configuration that provides for s is as follows.

If , then our select linear function (or equally, on matrix) and function .Similarly, if , we can select linear function sum functions , etc.So, order .In a preferred embodiment, k is 2,1 or 8, or some other powers of 2.

Suppose k=2.So, can return the low step bit that represents of the Bit String of element; If k=4, then low order 2 bit can be returned, and usually, if , then the value of Bit String mould k can be returned, for our preferred selection, its that is by extract the m low step bit exported obtains.

Method for optimizing above make we use for partitioned matrix realize, make the method for [21,22] be applied to it.In addition, when be can the inverse time, we can use this preferable configuration directly to obtain by following method realization, this generates its structure and is similar to structure function.For any , order

and

, wherein .

The function of definition in step (4) above can be cannot be maybe deeply nonlinear.Then, following step checks dark nonlinearity.We use following test to determine this.

If be that the degree of depth is nonlinear, if then we freeze except its inputs all to an input of constant value, and all its ignored except an output exports, then we obtain projection .If we are for the different value of the input selection freezed, then we can obtain different function.For linear function or until coding is linear function, by for the different value of the input selection freezed and obtainable uniqueness the quantity of function easily calculates.Such as, if and be 1 couple of 1(namely, if 1 to 1), then exist definitely such function, if , then can be only 1 to 1 in this configuration.

We are simply to such function counts, and it is expressed as on vector (occurrence number such as, by using Hash table to store each vector when p-1 the input constant freezed changes in all possibilities).If unique the quantity of function not by with matrix substitutes obtain, then that the degree of depth is nonlinear.

Notice that we can not be upper but any projection performs above test, we can accelerate this test, wherein be by freeze except all inputs to three of constant value inputs and ignore except one export except all outputs obtain.Which reduce for from arrive given not freezing input and the given quantity of function example do not ignored output and will count, this can provide sizable acceleration.In addition, if be that the degree of depth is nonlinear, then we find that this is quite fast at test period usually: first time we find mapping function counting can not obtain from matrix, we until that the degree of depth is nonlinear, and therefore that the degree of depth is nonlinear.

If we have three of Stochastic choice inputs and an output by using use hypothesis and we proof dark nonlinearity time unsuccessful, then may until coding is linear.

(note, projection example counting likely obtains by matrix, but remain the degree of depth nonlinear.But this can not accidentally occur and we can ignore it.In any situation, if above-mentioned test instruction that the degree of depth is nonlinear, then its beyond doubt the degree of depth is nonlinear.That is, in the test for dark nonlinearity, above test can generate negative by mistake, but will never affirm by mistake).

If test does not in step 88 show be the degree of depth nonlinear (or for the variable immediately following this list, being that the abundant degree of depth is nonlinear), then we turn back to step 80 and again attempt.

Otherwise we stop this structure, obtain the degree of depth nonlinear function of expectation .

As above modification, we may wish that acquisition is the nonlinear function of the degree of depth , and moreover, and its projection is also that the degree of depth is nonlinear.In this case, in above step 88, we can increase the uniqueness group with three of Stochastic choice inputs and an output the quantity of function, to this, we must illustrate example counting does not obtain by matrix.Our test these are more, we more guarantee be not only the degree of depth nonlinear, and be all that the degree of depth is nonlinear in all parts of its codomain.We must balance the cost of such test and the importance obtaining degree of depth nonlinear function, and it is guaranteed that be that the degree of depth is nonlinear in its codomain increasing.

2.9.3 experimental verification.For construction depth nonlinear function 1000 these pseudorandoms tests of method preferred embodiment with the MDS matrix L of pseudo-random generation and attempt, wherein and .MDS matrix uses the vandermonde matrix method with unique coefficient that pseudorandom is selected to generate.804 are had to be that the degree of depth is nonlinear in 1000 functions produced; That is, perform in building method at 804 times, step 88 indicates the method in it is attempted first, create degree of depth nonlinear function.

Similar experiment is performed, and wherein replaces the selector switch function used according to preferred embodiment , function be implemented as the table of 16 1 bit elements, each element is from set middle pseudorandom is selected.784 are had to be that the degree of depth is nonlinear in 1000 such functions; That is, in 784 these structures, the trial first of step 88 indication structure method creates degree of depth nonlinear function.

Finally, similar experiment is performed, wherein s be created as from be mapped to pseudorandom select the table of element.In 1000 pseudorandom tests, this produces 997 nonlinear functions of the degree of depth.But its needs can arrange the table of size, and (512 bytes are used for this little experiment, and 2048 bytes are used for similar function , have identical with the MixColumns matrix of AES dimension) to store .

So we see the building method for creating degree of depth nonlinear function in Galois field and ring provided above---and particularly, its preferred embodiment---be effectively.In addition, it is direct for creating the inverse of the degree of depth nonlinear function generated, as we will see below.

2.9.4 the attribute of above structure.The function constructed as described above have with properties:

(1) if L and 1 to 1, then 1 to 1;

(2) if L and that dijection is (if that is, they are 1 to 1 and be mapped in ... on, make ), then it is dijection; And

(3) if L and all (the MDS that ultimate range can be divided; Vide infra), then mDS.

Hamming distance between two k vectors---namely with ---be that is, it is in the quantity of the different element position of its place u with v .Ultimate range can divide (MDS) function (wherein, S be finite aggregate and ) be such function, for this function, for any if, , then .If , then such MDS function is dijection all the time.By freezing the input to constant value and ignore except output outside all outputs ( , make ) and the MDS function of acquisition any projection also be MDS function.If S be Galois field or finite ring and pass through matrix (MDS matrix because vector its, calculating is MDS) function---that is M that calculates, then by deleting except M's all row outside row and then delete except all row outside row (wherein ) and obtain any matrix nonsingular; That is, each square of submatrix of M is nonsingular.

Such MDS function is important in cryptography: they are for performing one " desirable mixing ".Such as, AES password [16] adopts MDS function as one of two state elements mixed functions in its often wheel except last.

2.9.5 the function of structure is inverted.When we adopt 1 couple of 1(for some Galois fields or finite ring G, normally the degree of depth is nonlinear) function , we usually also need inverse or at least relatively inverse.(according to [21,22], corresponding situation is that we have 1 to 1 linear function , its to be shallow nonlinear after coding, we need the inverse or relatively inverse of it.But we can use degree of depth nonlinear function and (relative) against strengthening significantly [21,22] by replacing.）

We provide method now, by means of the method, so inverse (if ) or relatively inverse (if ) for 1 couple 1 created according to our method function (degree of depth is non-linear or contrary) is obtained.

For any bijective function , existence anduniquess function .If and , then it can not be dijection.But, can be still 1 to 1, in this case, existence anduniquess relatively inverse .That is, if we ignore not by calling produce in vector, then picture is for can by calling the inverse of the vector produced carries out action like that.

As long as we now disclose for L and own be 1 to 1 time (in this case ) construct the function constructed for us so relatively inverse method.If , then L is with all dijection, and so be relatively inversely also (common) inverse.

The method can work as function (step 84 see Fig. 8) is from linear function construct and final function for inciting somebody to action output be mapped to the method was adopted, wherein time upper be calculated as personal k divided by the remainder of result.If (k is the power of 2, then we can by getting result low step bit calculates , it is easily, but is in fact unwanted for our current object).

We define linear function with be respectively L and relatively inverse.(because these functions are by matrix computations, so the relatively inverse of them can in the following manner easily and effectively obtain: by Gaussian elimination etc.---the method namely by knowing in the linear algebra field in Galois field and finite ring solves linear equality simultaneously.）

We have from structure .We define , wherein the relatively inverse of L.(method therefore, by knowing in the linear algebra field in Galois field and finite ring is held detectable on matrix calculates .) we define .We have onto function now .

If that expects is relatively inverse---or common inverse---be as undefined function .

For any , order

and

Wherein .

When time, this is only common inverse.When time, function only for in vector show as inverse.

If we have the not constrained form for s, if namely do not constructed like that with preferred embodiment above, then we can still to dijection or 1 to 1 invert or relatively invert.Such as, if be simply element on table, if then we define new table , then above for equation (but use these different ) keep correct.This new table can obtain in the following manner: traversal all elements e, determine L (e), and to be filled in by the content of the element e of s element L (e) element in.

2.10 static single assignment (SSA) forms.Suppose our the language compilation program with such as C.Data will comprise scalar variable, array and structure.

Routine (function in C term) typically serves as MF.Each routine can by controlling stream graph (CFG: see ) represent, wherein node represents fundamental block (BB; That is, in the straight-line code section controlling to realize in transfer).

And if if only each scalar variable there is one definitely determine assignment, then routine is static state list assignment (SSA) form relative to its scalar variable.Otherwise it is static multiple assignment (SMA) form.

We notice, generally any C code routine can not be converted to the SSA form relative to its scalar variable in C language itself.Reason is: may there is such position in code, this position is such as after not only having then and substituting but also have the if structure that else substitutes, and wherein two different pieces of information flow paths merge---and namely wherein variable (that is x) is all assigned in both then path and else path.Similar problem occurs about circulation, and described circulation can enter from top or reenter from bottom.

In order to process this problem, add special assignment form: assignment.Such as, when to the then path of x and else path assignment, we can respectively to the variable x of assignment ₁and x _2-rename, and then, immediately preceding those paths after the merging of the bottom that if constructs, insert assignment .Utilize the extension of assignment, likely converts any C routine to SSA form now, as long as each variable is initialised when initial.(if not, then further refining cited below is enough to make the method be completely general.) use conversion in [14], we do not need to utilize with assignment (and assignment; Seeing below) C of extension performs conversion, and can perform it in outer Yanzhong further on the contrary, and wherein variable can as shown below by indexing, makes the original variable of correspondence can all the time by removing subscript to find.

2.10.1 from SMA form to the conversion of SSA form.Conversion to SSA form relates to:

(1) calculating of the dominator in CFG, preferably uses the domination algorithm in [13] to realize;

(2) for the calculating in the domination forward position of the assignment in CFG, its determine for the optimal location of assignment, preferably uses the domination forward position algorithm in [13] to realize; And

(3) code is to the conversion of SSA form, the algorithm in [14] is preferably used to realize (deducting its dominator and domination front edge portion, it is substituted by the algorithm from [13]), attention: the conversion method in this paper can be failed, except each variable in non-primary C routine is defined (that is, being assigned a value) in the position of the every other use of domination.If this is not the situation for any variable v, we can by when routine starts, immediately following adding this form after ENTER instruction, before the conversion of routine form from SMA to SSA initial assignment (representing the initialization to undefined value) solves it.

2.10.2 from SSA form to the conversion of SMA form.Reverse transformation from SSA form to SMA form is test.

(1) each assignment fetches its input from various fundamental block (BB), and it can be easily identified in SSA form, because only there is a static position, at this static position place, any scalar variable is set to value.When being different from the output of the instruction of assignment calculates conduct extremely during the variable of the input of assignment, immediately preceding the output of instruction is copied to as mOVE instruction is inserted after the instruction of the variable of the output of assignment.

(2) remove all assignment and assignment.

Note, reverse transformation does not recover original program.But namely it produce SMA(, can perform) the semantic equivalent procedures of form.Namely, if original routine (adopting SMA form all the time when language compilation with such as C) is converted to SSA form and then converts SMA form to by us, then the final SMA form of program can not be equal to original SMA, but it is functionally equal to original SMA.

3. basis function to their realization

In this section, we propose for generate white box hidden door one-way function its especially for the method for basis function dijection being created on reciprocal centering, make the assailant of the realization of the member being provided with such centering easily can not find realization for its inverse (described another right member), this assailant can not easily find the point of the realization for providing inverse.

3.1 white box hidden door one-way functions: definition.We define general what be hidden door one-way function, then process white box situation, and in the implementation entropy is separated into key and randomization entropy terminates.

3.1.1 hidden door one-way function.We from take from [31] with giving a definition.

Amount to one-way function, " easily " calculates, but for " nearly all " calculate " infeasible in calculating ".

Above hidden door one-way function, one-way function, and given s, for any find that calculating is upper infeasible.If ( dijection, then such s).

3.1.2 white box hidden door one-way function.Define for from the standard above [31], we are that the following non-standard definition of context interpolation attacked by white box.

Above white box one-way function, be designed to attainable to have the one-way function attribute under white box is attacked.Similarly, white box hidden door one-way function, be designed to attainable to have the hidden door one-way function attribute under white box is attacked.

Two-way unidirectional dijection, " easily " calculates, but for " nearly all " , find " infeasible in calculating ".

Above dijection the unidirectional dijection of hidden door, be unidirectional dijection and given s, for any , find that calculating is upper infeasible.(such as, carry out the symmetric cryptography of component assesses relative to key s the unidirectional dijection of hidden door: secret information is key s.）

Above dijection the unidirectional dijection of white box, be designed to attainable, to have the unidirectional dijection attribute under white box is attacked.Similarly, the unidirectional dijection of white box hidden door, be designed to attainable, to have the unidirectional dijection attribute of hidden door under white box is attacked.(such as, symmetric cryptography effectively white box fixed key realize being the unidirectional hidden door dijection of white box: secret information s is key.）

N.B.: the unidirectional dijection of white box hidden door realizes being dijection realization, make given realization, when there is no secret information, be difficult to find calculating on feasible realization.(specific secret information can itself be calculating on feasible realization.）

3.1.3 key entropy and randomization entropy.We find two functions , make given specific construction algorithm, only given K can find with definition.K is key entropy.

Then we find two kinds of realizations with , wherein realize , and realize . with there is provided randomization entropy, it does not affect functional; Its only for determine the abundant fuzzy realization of hope with prevent from realizing within a period of time break time how to represent that this is functional.

with it is right that the reciprocal basis function comprising us realizes.

3.2 securities: history, theory and the method proposed.We reciprocal centering set up the intractability of ambiguity that initial trial that white box hidden door one-way function realizes is encoded based on higher order polynomial expection (see ), the expection of the intractability of the ambiguity of the intertexture of linear function and degree of depth nonlinear function index (see ), linear function adds and (namely to exist on computerized algorithm on, typically ) for eliminating the expection of the intractability of the ambiguity of some other operations of the T function property of such realization.

It is wrong that conclusion has demonstrated this expection: any trial failure like this producing separately unmanageable ambiguity problem by means of encoding, because it is also enough simple for enough simply encoding for effectively analyzing for use.

This causes us to seek programming defence, wherein encodes and in fact plays a part, but wherein they and dynamic programming mechanism (control flow check, routine call, wider Organization of Data etc.) cooperation work.The many problems relevant to program are difficult.Such as, we are verified is worst case PSPACE difficulty [9] for the redundancy that flattens of control flow check when there is coding and Reachability question.

More generally, we have Rice theorem, its statement: for any non-trivial attribute of partial function, do not exist general and effective method decides given algorithm whether calculates the function with this attribute.(" ordinary " is meant to attribute or is suitable for all partial functions or inapplicable partial function.) this theorem names with Henry Gordon Rice, and be also called " Rice-Myhill-Shapiro theorem " with Rice, John Myhill and Norman Shapiro.

The alternative statement of Rice theorem is as follows.S is made to be the language of non-trivial ²set, mean:

(1) there is the Turing machine (TM) of the language in understanding S, and

(2) there is the TM of the language of understanding not in S.

So language that any TM determines can not be determined whether in S.

Rice theorem is only applied to linguistics attribute but not operational attribute.Such as, can determine whether TM stops at given input step on, can determine whether TM stops at each input in step, and can determine whether TM stops at forever in step.But the general impossibility that virus identifies is philological, and Rice law implies that ideally general viral recognizer is impossible.

Patent in the patent selected works of Irdeto comprises by means of the software obfuscation of following realization and anti-tamper: data stream encoding [5, 7, 8] (coding of scalar sum vector and the operation on them), control flow check coding [G] (relevant to calculate them to make itself and the multi-to-multi from the function calculated and code block map to input to the amendment of the control flow check in program) and mass data are encoded [20] (based on virtual memory or such storer of software, in which memory, logical address by physical scatterers and is also dynamically recoded by background process and is physically rotated around in time).

Above for obscuring software and in the method making it anti-tamper; data stream encoding mainly static process (but the relevant coding of variable makes it be dynamic a little potentially; in described variable correlative coding; coefficient for the coding to some variable and vector is provided by its dependent variable and vector); and control flow check coding and mass data are encoded mainly dynamic: data structure by static programming, but is operationally to the result of the dynamic operation that these data structures perform to the practical operation of these software protections to a great extent.

Control flow check coding fundamental purpose is the responsibility that (1) reduces to defeat dynamic attacks, and (2) are by being embedded in the ambiguity carrying out protecting control stream in sizable external control stream by the normal control flow of program.Object when mass data coding is original finds the coding by the correctly work when there is highly dynamic another name: such as, make to use pointer energetically in c program.

The difficulty of the dynamic coding of above form is supported data structure (for assignment and the register mapping table of control flow check coding, virtual memory coding/decoding table and address mapping table for mass data coding) leakage information own.

We propose by mobile they from using the protection being similar to the combination that control flow check coding and mass data are encoded when running to the most of special disposal supported during compiling, but have in special data structures and significantly reduce.Let us claims the protection of this new model to be dynamic data recognition coding, and the protection of this form has a lot of dynamic variability of control flow check coding and mass data coding, but has from the special data structures to movement when compiling during operation.

²language is the set of the string on alphabet.Alphabet is limited nonempty set.

The benefit operationally eliminating most of special data structures is, supports that the operation of dynamic data recognition coding becomes the more difficult code it be applied to it and distinguishes.

3.3 select on invertible matrix.In order to be created in on invertible matrix M and inverse M ^-1, we continue as follows.

Select on the diagonal and on there is the upper triangle invertible matrix of nonzero element, wherein upper triangle invertible matrix be selected such that:

If i<j, ,

If i=j, , and

If i>j, .

Because all diagonal elements are odd numbers, so U is reversible beyond doubt.

Select random upper triangular matrix X, Y that two such independently.So , and .

The method guarantees that inverse calculating is very easy to, because all against being calculated on upper triangular matrix, described upper triangular matrix has been row order trapezoidal, and wherein all leading row elements are unit.

3.4 virtual machines and instruction set.Propose way of realization be programming with operation.Therefore we define it from bottom with single control thread (not having concurrency, not free section) in virtual machine, described control thread have based on such as the modern compiler of both Intel IA32 and Intel IA64 instruction set architecture (for the gcc of GNU/Linux, CL.EXE for MS Windows) realize C language operation instruction set, wherein the default size of (tape symbol) integer or unsigned int is 32 bits.VM instruction set operates when not having overflow inspection, when being interpreted as 32 bit words without symbol weight unless there are when other statement.

3.4.1 root instruction.Root instruction comprises seven fields: 29 bit operating codes, three 1 bit symbol word marking L1, L2, L3 and three 32 bit operand (operand 1, operand 2, operand 3), if the symbol word marking of correspondence is set up, then each in them is word and otherwise is register number (see Fig. 2).All VM instructions use this form, and except ENTER and EXIT, ENTER and EXIT uses the form shown in Fig. 3.With 24 bit fields keep counting k, 5 bit operating codes, be all set to 0 three 1 bit symbol word markings, and k bit register No. 32.

Show root instruction set in table 3.

3.4.2 implicit instructions and basic instruction set.In Table 1 implicit instructions is shown, each Special use based on elementary instruction.

The set comprising root and implicit instructions comprises the basic instruction set of VM.

3.4.3 corresponding with C language operational symbol.Elementary instruction closely corresponds to the operational symbol in C language.

If Boolean comparison EQ, NE, ULT, ULE, SLT, SLE and their implicit counterparty UGE, UGT, SGT, SGE compare be true generation 1 and otherwise generation 0.All algorithms are the 32 bit algorithms not having overflow to check, because be that typical C language realizes, and all algorithms are signless, unless when pointing out in addition.

Attention: ADD, SUB, MUL, DIV, REM, AND, OR, XOR, EQ, NE, ULT, ULE, UGT, UGE, LLSH and LRSH correspond respectively to C binary opertor , wherein unsigned int operand supposes 32 bit unsigned ints.Similarly, NEG, NOT correspond respectively to C operational symbol , there are 32 bit unsigned int operands.Finally, SLT, SLE, SGT, SGE correspond respectively to and have 32 bit integer operands , correspond respectively to the C with 32 bit integer operands and positive displacement counting , and the memory access of the C that the ability of LOAD, STORE, JUMP, JUMPZ, JUMPNZ corresponds to omission bit field, function pointer sum functions calls and control ability.

Above performance on 32 bit integers and unsigned int is not the part of ISO/IEC C standard, but it is the acquiescence performance provided by the CL.EXE on gcc and Windows on the GNU Linux of Intel IA32 and IA64.

Therefore, above VM instruction set semantic with exist between the actual standard realized for C tight corresponding.

3.4.4 macro instruction.Macro instruction represents the usage used in the realization that basis function is right.Each macro instruction can be very easy to expand in the code body only comprising basis function (see what p.34 go up ), the use to some extra temporary registers may be had.Rational expansion is significantly and is therefore omitted.

General type for macro instruction is roughly mnemonic(al) [parameter] , expression is got and is comprised register value input vector and produce comprise register value the mapping of output vector.

(one or more) parameter can be value, or one or more source-register (typically, only one: ), or the sequence of one or more instruction, in this case, the outer macro instruction that internal sequence is parameter by its sequence is revised.　

Operand	Memonic symbol	Operand	Effect
				0	HALT	(being left in the basket)	Stop performing
1	ADD		In
				2	SUB		In
3	MUL		In
				4	DIV		In
5	REM		In Mould
				6	AND		By bit
7	OR		By bit
				8	XOR		By bit
9	EQ
				10	NE
11	ULT		[ Without symbol]
				12	ULE		[ Without symbol]
13	SLT		[ Tape symbol]
				14	SLE		[ Tape symbol]
15	LLSH		In Mould
				16	LRSH		In
17	ARSH		In ; Then arrange ( Mould 32)
				18	LOAD		[ In Mould ]
19	STORE		M[ In Mould ]
				20	JUMPZ		If , then In
21	JUMPNZ		If , then In
				22	JUMPSUB
23	ENTER		Enter routine, register is set For routine input
				24	EXIT		Exit routine, from register Get routine to export

Legend:

source operand: register; It cannot be word

destination operand: register; It cannot be word

input operand: content of registers or word

source/testing memory position, address=a

the content of x is substituted with value v

PC programmable counter (address of next instruction)

Table 3 virtual machine root instruction set.

Macro instruction comprises following

-------------------------------------------------------

Implicit instructions is translated

( in-1)

Table 4 implicit virtual machine instruction.

? middle storage , ; Then arrange .Typically, stack pointer register will be specified.

-------------------------------------------------------

Arrange ; Then from load , .Typically, stack pointer register will be specified.

-------------------------------------------------------

Wherein be on medium, with when, it calculates , d, s are considered as column vector in the computing interval;

-------------------------------------------------------

Wherein, register or word is used and make

，

be upper press that bit calculates, it ought shi upper calculating

, and work as in time, calculates

；

-------------------------------------------------------

Wherein, register or word is used and make on

with

? be taken in in time, calculates

, and work as in time, calculates

；

-------------------------------------------------------

Wherein, be instruction, it is computations successively, wherein the register that sequence inputs from it, and it is the register that it outputs to;

-------------------------------------------------------

Wherein for , and , assignment

mould ,

, wherein we suppose , wherein it is arbitrary function; That is, do not have the product of element to be 1 all the time at all;

---------------------------------------------------------

Wherein be instruction, it calculates single instruction , wherein all pass through in any one be used as input register, all pass through any one be used as register of exporting, and can maybe must both cannot to be shown as any register inputed or outputed by CHOOSE instruction in input, show as again in output; Wherein CHOOSE macro expansion uses to basic VM instruction and compares tree close to the scale-of-two of balance as far as possible: such as, if , then in the binary tree of balance, there are 15 branches, each branch has form

Wherein T works as register time control the label transferred to, and the value of n at tree root place is (first half of partition value and Lower Half), at its left descendants place is (first and second 1/4ths of partition value), and at its right descendants place be (third and fourth 1/4th of partition value), the rest may be inferred:

---------------------------------------------------------

Wherein be word or register, perform

doubly;

---------------------------------------------------------

Wherein each be displacement, its perform , , wherein (that is, its in be placed through select displacement), use and identical compare tree and branch to expand to basic VM instruction close to the scale-of-two of balance as far as possible, this is described for CHOOSE macro instruction.

---------------------------------------------------------

For calculate , it can realize by direct code or implicitly by fraction by explicitly;

---------------------------------------------------------

For calculate , realize preferably explicit application, instead of implicit expression (that is, fraction) application.

---------------------------------------------------------

For calculate , realize preferably implicit expression (that is, fraction) application, instead of explicit application; And

---------------------------------------------------------

Wherein and , calculate

To obtain left result,

To obtain chooser , and

The simplification variable interweaved by index functions obtains right result, and this index functions interweaves not necessarily dijection, but significantly, as long as { left, right } be exactly that dijection (that is, amounts to, 1 to 1 and be mapped in ... on), calculate bijective function, and any projection by arbitrarily fixing to calculate bijective function to obtain.

3.5 modeling program structures.We use the model [1] from so-called red imperial book.

For each basic VM instruction being different from branch instruction JUMP, JUMPZ and JUMPNZ, next instruction performed is immediately following the instruction after present instruction.Therefore, in control flow check, program formed wherein only enter when starting and only at the end of the straight-line code block that leaves correspond to the figure of the node in figure.

Therefore, between tectonic epochs, we by our function routine realize be considered as controlling stream graph (CFG, see ).Each node fundamental block (BB) identifies: wherein the first instruction is the VM instruction sequence of the destination of the first instruction (being ENTER instruction all the time) in routine or branch instruction, in fundamental block, do not have other instructions to be destinations of branch instruction, and the final injunction of fundamental block is the branch of EXIT instruction all the time.

Controlling stream graph is restricted to by we has single destination node, and only the BB of this destination node terminates in EXIT instruction, makes to there is an ENTER instruction and an EXIT instruction within the routine definitely.

In the node of CFG, except any ENTER, EXIT or branch instruction, instruction can be regarded as the sequencing of wherein instruction only by the data flow diagram of the correlativity restriction between them.These have three kinds:

(1) instruction y and instruction x is that input and output are correlated with, and iff y is taken as input, and a value is produced as output by x, or y to be that instruction input and output relevant with x input and output are correlated with.

(2) LOAD instruction y is that load store is relevant to STORE instruction x, and iff y is from a position loaded value, and x stores described value in this position before, if or y be that load store is correlated with to being the instruction relevant with x load store.

(3) STORE instruction y is that store storage is relevant to STORE instruction x, and iff x stores in the position stored follow-up the carrying out wherein of y, if or y be that store storage is correlated with to being the instruction relevant with x store storage.

Perform correlation requirement y to perform after x.The sequencing that the topological sorting of the instruction that Yu Yuqi comprises is consistent so the sequencing of fundamental block is tied, these correlativitys are used as part order by described topological sorting.

4. mark I: " WOODENMAX " proposition

We introduce our primitive statement of the method for setting up white box hidden door one-way function reciprocal centering here.

Below this proposition utilizes:

(1) permutation polynomial

Modulus 's be used as round values, addition and with in the coding of multiplication of constant.

We expect that this is actual, and this is owing to known restriction: namely on each displacement-polynomial expression be equal to number of times one of.We expect that such coding has high ambiguousness, and this is owing to very a large amount of selection of the number that will adopt being added or being multiplied and encode: each displacement-poly has many equivalent displacement-polynomial expressions.

(2) the inverse structure of function sum functions, have very a large amount of right side index functions (that is, for chooser large restriction n).

This will produce the right dark nonlinearity of fine-grained reciprocal functions, thus makes the directtissima of fundamental matrix more difficult.

(3) use (" coding fraction " see in index) of the fraction of the interface in structure---comprise between fraction---for work (because do not need to adopt identical coding, as long as they are all 1 to 1).

The effect of fraction is that the nonlinearity of structure is deepened further.

(4) initial input and last export by mixing so that the dark nonlinearity producing self-structuring is dispersed in input and output spatially equably, and input and output by mixing and input and output by mixing ( ) attack to defeat homomorphic mapping.

Situation structure in reciprocal functions 8 vectors being mapped to 8 vectors shown in Figure 4, makes BVM document adopt 4 vectors to 4 vectors about the theorem of the intertexture of index functions and the intertexture of inversion result thereof map and 4 vectors be mapped to 4 vectors function, .We will discuss last adjustment after description initial construction itself.

(40) eight input vector elements are mixed centering by 2x2 married operation, and described married operation can be performed by encoder matrix mapping techniques, and wherein said matrix is such as or ring on.Matrix manipulation is extended in encoded operation, and wherein coding is the permutation polynomial based on ring.Only three kinds of action needs are encoded, as long as the mapping that mixer performs is the linear or affine addition of the linear or affine addition (addvar) of Two Variables, constant and variable, and the multiplication of variable and constant (mulcon).

The object of 2x2 mixing is this.If the intertexture of index functions is applied by simplicity, then from input 1,3,5,7 to the projection of output 1,3,5,7 until I/O coding be linear, but from input 2,4,6,8 to the projection of output 2,4,6,8 be not.By Mixed design 1,2,3,4,5,6,7,8 and below (10) in mixing output 1,2,3,4,5,6,7,8, we guarantee such projection and until linear existence of I/O coding from being input to output.

(41) after above step (40), we have eight intermediate quantities, and according to the selection that the intertexture chooser by index functions is made, wherein 1,3,5,7 will be directed into left side, and 2,4,6,8 will be directed into one of function.

Function on the right side of which is selected to calculate by the affine operation by 1x4 mapper, another polynomial code on ring of the choice function that uses.The input identical with left side function accurately got by this mapper, to guarantee inversion technique work.

(42) suitable by intermediate quantity 2,4,6,8 is directed to from step 40 realize, switch performs actual selection.

Although this be shown in Figure 4 for intermediate quantity to select the simple switching realized, but in practice, operation may far more than this.Particularly, high expectations selects the quantity of n to be great, makes our mutual dijection white box hidden door one-way function realize showing fine-grained dark nonlinearity.In order to realize this, we must to represent flood tide in a limited space realize.As beginning, consider on any nonsingular 4x4 matrix, wherein expection is 32,64 or even larger.Suppose that every row and column is unique, by displacement row and column, we can obtain 576 unique matrixes.We can also change the coding (that is, arrow to be delivered to the point of another block from a block in the diagram) at boundary wherein, and other change methods many exist.Therefore, we quite easily can obtain a large amount of by realizing suitably being somebody's turn to do " switch " in finite quantity space provide.

(43) in the left side of Fig. 4, input is mixed into centering by us .This is carried out defeating homomorphic mapping and is attacked.In such attack, we have a kind of computing of kind , and for any given uncoded computing , there are three gaps will fill.Therefore, the quantity may guessed is passed through carry out upper control limit, wherein r is the quantity of the element of ring, namely passes through .Now, hypothesize attack person adopts greatest expected " birthday paradox " advantage.So we expect attack complexity, it for w=32 is secondary trial and be for w=64 secondary trial.

Present hypothesis we can mix the input of centering.Present existence five gaps are guessed, and attack complexity (authorizing assailant's greatest expected " birthday paradox " advantage equally) above and be attack complexity, it for w=32 is secondary trial and be for w=64 secondary trial.Significantly, so if we can inseparable ground Mixed design (and symmetry, export) thus we extremely entry on have mixing.

(44) on the right side of Fig. 4, input is mixed into centering by we .This carried out defeating as in above (4) the homomorphic mapping mentioned attack, and there is identical advantage.

(45) in left side mapper is the linear of polynomial code or affined transformation.

(46) on right side mapper is the linear of polynomial code or affined transformation.

(47) realization by centering mixing export and terminate.Partly, this is carried out directly making homomorphic mapping attack more difficult; Partly, for the reason provided in 42 above, this is carried out guaranteeing at centering Mixed design in inverse function, because realize relate to the formation contrary with the formation shown in Fig. 4, make input become output and vice versa.

(48) similarly, each realization (in the theorem of the intertexture about index functions of BVM document) terminate by exporting in centering mixing, either make homomorphic mapping attack cost larger but also guarantee each in at centering Mixed design because realize relate to the formation contrary with the formation shown in Fig. 4, make input become output and vice versa.

(49) last, export centering mixing is last, this can by polynomial code matrix manipulation carries out, as in 40 initial input be n rank with guarantee not exist multiple be input to multiple output until be linear projection, and on the contrary, all such projections are that the degree of depth is nonlinear.

The structure occurred in last redjustment and modification Fig. 4 is as follows.

By using mark (comprising MBA mark), border (in the diagram by representing what the arrow of data stream represented) is fuzzy, to mix in figure with the calculating in successor block with the calculating that block represents.Because we have the control completely to the coding used in block, so we are so fuzzy to realize by good location.

The fraction that our word utilizes 84, mention in item (3) helps guarantee that it is nonlinear for realizing in each rank.

We optimize this realization to guarantee enough performances.Such as, when adopting many polynomial expressions, use for all of input the power calculating once this input.

Mark II

Mark II proposition and mark I(are see p.39 going up ) similar because it has fixing inner structure, only basis function realize pair between have index variation.

5.1 initial configurations: select with .Initial program does not adopt local array.Except the initial access to input and the last payment to output (namely, except the realization of VM instruction ENTER and EXIT), all computings are in a program scalar and do not utilize LOAD and STORE instruction, and they are only strictly required the memory access for indexing.

All calculating exists upper computing and from bear results, but for ADD, SUB, MUL, such value is interpreted as element, and result is ring suitable for this mould result.That is, C Computing with those computings of the unsigned int operand be suitable in the typical case 32 not having overflow to check realizes than special machine.

We structure in and so appointment in definitely there is identical structure (but current have different coefficient) only one specify allow middle consumption K(key) entropy.

Or basic structure shown in Fig. 5 (the first half) and Fig. 6 (the second half), wherein circle represent the connector that skips.

5.1.1 data stream.Data stream along the arrow in Fig. 5 and 6 is all the time the element of (32 bit words), enters arrowhead from arrow begin column.When arrow is divided into both direction, word is transported to the point that two arrowhead represent.

5.1.2 uncorrelated.The Stochastic choice of like.For two parts in wherein Fig. 5 and 6, there is same label specify, they are independent of being selected each other; In fact, each parts by random and select independently, not by the impact of any other parts.For specify, certainly, select all parts so that appointment is passed through definition function inverse, make once have selected specify, specify and be just fixed: do not consume further K entropy to construct it.

5.1.3 right .Some component tag in figs. 5 and 6 use label, such as or displacement, and other use label, such as recode or recode.

Indicating device has n input and n output, and entropy can be moved to the output (as mapped vector by matrix) of non-corresponding by execution unit from input.

Indicating device has n input and n output, and entropy only can be moved to corresponding output from input by execution unit: namely, in fact, and such parts are made up of the individual scalar operation side by side of n, make four scalar value are taked in recodification, and recode to each scalar value individually when not mutual with any other scalar value.

5.1.4 alternative pack.Alternative pack is in figs. 5 and 6 marked as selection 2 1 or selection 2 of displacement 1 that recodes.

Be labeled as selection 2 those of 1 that replaces have following form

Wherein it is Stochastic choice displacement, via from .

Be labeled as selection 2 those of 1 that recodes have following form

via recode from , wherein each it is the VM macro instruction of following form

Owning in recodification coding be for stochastic choice.

5.1.5 four appearance of the intertexture of index functions. the intertexture of the index functions of middle description exists or occur four times in appointment.Each it comprises three linear mapping is (for some matrix M, VM macro instruction ), be labeled as respectively in figs. 5 and 6 with , they matrix uses in method independently to select: connect same recodification (VM macro instruction four encode from available permutation polynomial coding Stochastic choice), select 2 twice appearance of 1 of displacement, and select 2 recode 1 twice appearance (see ).

Each example of the intertexture of index functions have single left side function and individual right side function.

5.1.6 miscellaneous part.Remaining parts, not in the example of the intertexture of index functions, comprise occur for three times that recode, each form occurred is:

And twice appearance of displacement, each form occurred is:

(for ) there is displacement that is single, Stochastic choice, and occur for eight times of mixer, each form occurred is:

Wherein M passes through in method for select matrix.

5.2 obscure or realize.Following methods be used for fuzzy program realize or , wherein realize having p.43 going up middle detailed description illustrated universal architecture in fig. 5 and fig..

Conversion below in joint is performed one by one, except situation about mentioning in addition in the main body that saves at these.

5.2.1 abreviation is copied.For or the simple code packages realized is containing many MOVE instructions.On duty when transferring to another via MOVE from a register by distributor, often likely eliminate intermediate steps and result is transferred directly to final destination.

This is effective especially when replacing, and displacement is a series of MOVE of use and simplicity realizes.Such as, to initial and last the simplification of displacement means: the displacement of Stochastic choice only means which datastream source be first datastream source receiving specific input is Stochastic choice, and which data stream place is last data stream place of paying specific output is Stochastic choice.

Rule is that any MOVE that can be eliminated by the optimization of common grade must be eliminated; That is, obscure or the final version realized must comprise the MOVE instruction of the attainable minimum number of optimization using common (that is, non-bravery) rank.

More specifically, suppose that value producer can easily be associated with its value consumer with SSA form by we, those MOVE that must be omitted be can by export renumber and again convert SSA to until further copy abreviation occur to remove in SSA those.

When following situation, MOVE can be omitted: this MOVE forms wherein multiple MOVE and forms the arc in the operation tree of arc, and original value producer (may be assignment) be root, this root domination MOVE arc and consumer, and do not have consumer itself to be assignment.

Copy abreviation can perform at the various some places in following process, and is done undoubtedly as the final step for removing redundancy MOVE instruction.

5.2.2 be branched off into branch's abreviation.Relevant truncated forms can perform branch.If fundamental block (BB) only comprises unconditional branch instruction (that is, unconditional JUMP elementary instruction), then the target being branched off into any branch of this BB can be modified to unconditional branch.This can repeat, until do not have such branch that is branched off into still to occur, and any unreachable BB only comprising unconditional JUMP is any can be removed.

Be branched off into branch's abreviation can be performed at any some place in following process, and be done as eliminating the final step being branched off into unconditional branched sequence undoubtedly.

5.2.3 do not eliminate with code.When code is SSA form, if any register is the output of instruction x, but the input of instruction y anything but, then and instruction x does not use code.We repeatedly can remove all such instructions, until do not retain with code.

This can complete the various times between confused stage, and is done as eliminating the final step not using code undoubtedly.

5.2.4 the * Hash of unique dynamic value inserts and generates.Select unique odd element of upper Stochastic choice hash matrix, and generating code, described code maps original input by this matrix, thus produces single output.Place this code for the Hash matrix computations (initially, LINEARMAP macro instruction) immediately following initial ENTER instruction.Described single output is input " Hash ", and will be used for generating the unique dynamic value being used for storer and shuffling (see ).

Then, selective cementation polynomial expression (PP) , and wherein be the output register of the output comprised from above matrix computations, insert code to be created on on value , wherein and derivative will be described subsequently.Initially, PP calculates and is inserted as recodification macro instruction, and wherein all codings are equally .

5.2.5 macro expansion.All macro instructions are extended to a series of base instruction.This expansion is inessential, and is therefore omitted at this.

After spreading, only base instruction retains.

5.2.6 * control flow check copies.? in with the addition of a matrix, all eight outputs are mapped to an output by it, and there are 20 matrixes illustrated in figs. 5 and 6, each expression represents that two or four is input to the mapping of two or four output respectively, each during 21 matrixes map is extended to does not have inner branch (that is, JUMP ...) the continuous sequence X of base instruction of instruction.

Hash matrix computations is the first matrix mapping calculation time initial.We replace code for the matrix in the horizontal line in each " wheel " that will calculate successively, the beginning of the CB structure such as in Fig. 5 and 6 and end mixer is capable, or , sequence; That is, being first code for leftmost matrix, is then that the rest may be inferred for the matrix on the right of it.In addition, in each " wheel ", we notice for calculating with the code one of the calculating that matrix maps fixes on for calculating selection 2 before the code of 1 of displacement, be selection 2 afterwards 1 that recodes, be afterwards code is selection 2 afterwards 1 that recodes is the selection 2 on figure right side afterwards 1 that replaces.

? in the expression aspect mentioned, depend on that we are processing in 20 matrixes which, the code for the impact of compute matrix on its 2 or 4 vectors be applied to shows as straight-line code sequence in this expression, its:

(1) occupy whole fundamental block (BB), except final condition branched sequence, (conditional branching follows the comparison afterwards, takes the form that ULT, JUMPNZ instruction is right, immediately following matrix computations; Such as, be for being labeled as in Fig. 5 and 6 when this is initial situation because they are immediately following such point, point out at this, the if-then-else structure choice comprising then-BB and else-BB is as in the drawings by following selection 2 one of recode for indicated by 1 two that recode, each in described then-BB and else-BB so that JUMP of BB terminates, described BB comprise for the code that matrix maps, matrix is sequence of conditions (being the JUMPNZ terminating described BB after ULT) after mapping; Or

(2) occur in BB, described BB to have in the straight-line code of described BB computations before it and afterwards; Such as, be for being labeled as in Fig. 5 and 6 when this is initial with the situation of each matrix, and for being labeled as in Figure 5 all matrixes of mixer and being labeled as in figure 6 the situation of all matrixes except the matrix of the leftmost side of mixer; Or

(3) appear at the beginning of BB and be further computations afterwards: this is for being labeled as in figure 6 the situation of the leftmost side matrix of mixer; Or

(4) appear at the beginning of BB and be branch instruction (JUMP afterwards ...) or conditional branch instructions sequence (ULT, JUMPNZ); This does not occur in figs. 5 and 6 when starting, but may occur after process described below.

In mode described below, we replace each such matrix code block with the branch of one of two copies to code block, and one of two copies of described code block are stopped by the branch to common point: namely, in fact, replace code X with following code:

Wherein, r is the output of the instruction (and therefore above if-construct) of domination X, and to arrange instruction be as one man select at random from possible forerunner. then and the else example of run time version block X respectively.

In order to realize with up conversion, we continue (according to Fig. 9) as follows:

Be not SSA form if 900 realize current, then convert thereof into SSA form, as middle description.

905 from having single output and propping up random as one man selection instruction I all instructions of the first instruction being used in the code that theme matrix maps.

910 convert realization to SMA form, as p.30 gone up described in.

915 isolation comprise the continual command sequence of the matrix mapping code for theme matrix.Namely, if the first matrix for theme matrix maps code do not start BB, then before described first instruction is tight, place unconditional JUMP instruction, thus point out at this this BB is divided into two, and if for the final matrix demapping instruction of theme matrix not at JUMP ... or before EXIT instruction tightly, then tightly insert unconditional JUMP instruction afterwards at described final injunction, thus point out at this its BB is divided into two.At this some place, original BB has longitudinally been cut into multiple BB zero degree, once or twice, and is isolated in its only comprising in the BB of this mapping code of oneself for the code that theme matrix maps, and is single unconditional JUMP instruction after described mapping code.

920 create two new BB.One C(is used for " selection ") only comprise ULT, JUMPNZ sequence, for realizing determine.For register r, we use the output of the above instruction I that we select.Make X be the above BB that we isolate, second is , be the exact copies of X in each, except X is original as the uniqueness in the figure of controlling stream graph (CFG) and except the node of graph of initial isolation, but current its is not, because CFG does not have the node of isolation.

925 use as follows replace the original X in CFG.Respectively, all branch targets of original sensing X are made to point to C.? on make the final branch of C be branched off into X, and alternatively to exist top set arrives .

935 perform be branched off into branch abreviation (see ).

Note, although this copies calculating, it does not produce the uniqueness copy for comparing, because when performing at every turn, performs in two paths of matrix mapping only for being performed to the path of set matrix.

5.2.7 come-from inserting.If realizing current is not SMA form, then convert thereof into SMA form (see ).

Then, for calculating if thus to produce 1(be true) if or 0(be vacation) and inputted be provided to JUMPNZ(" if be very, redirect ") each Boolean comparison ULT instruction of instruction, Stochastic choice two constants with , and before its input is got in JUMPNZ instruction, code is inserted after relatively ULT, wherein, the code inserted calculates .

Insertion is located in the true object of JUMPNZ , and be located in insertion in the false object of JUMPNZ .(look back: when code is CFG form, each conditional branching has two targets.）

Remember, in order to use in the future, calculate with the output of instruction should be identical.

5.2.8 * data flow replication.In mode described below, for not being or each instruction of EXIT, instruction is copied (presumptive instruction is closelyed follow by its copy), and selects new register for the instruction of all copies, if make x and y be instruction, y is the copy of x, then:

(1) if x inputs the output of ENTER instruction, then corresponding y input uses identical output;

(2) if x input has the output of the presumptive instruction u of copy v, then the correspondence input of y exports corresponding output with x from the u that it inputs from v input; And

(3) if x outputs to EXIT instruction, then the correspondence of y outputs to and special does not use destination node, is dropped to indicate its output.

Therefore, all calculating except branch have original and copy appearance.

In order to realize this conversion, we continue as follows (according to Figure 10).

We add new instruction JUMPA(" any redirect "), it is the unconditional branch in controlling stream graph (CFG) form with two destinations, as conditional branching (see ) like that, but do not input: alternatively, JUMPA instruction is selected at random between two destination.In fact JUMPA is not the part of VM instruction set, and does not have JUMPA will be or finally obscure in realization and occur.

We use JUMPA in down-conversion process.

If 1000 realize be not SMA form, then convert thereof into SMA form (see ).

1005 for realizing in each BB of BB , use three BB in the following manner replace it: create and be equal to new BB , and add and only comprise target and be with the single JUMPA instruction of the two, makes with for two targets of JUMPA, and make sensing each non-JUMPA branch target alternatively point to .

1010 realization converted to SSA form (see ), isolation with in local data flow, but with in corresponding instruction still calculate identical value.

1015 by each in all codes merge back it in, merge time make from with instruction alternately, make corresponding instruction to being in succession: to be first instruction, and be then corresponding instruction.

1020 make into each branch target alternatively point to , and remove all with bB.At this some place, data stream is replicated, and the original-shape of CFG is resumed, and realizes not having JUMPA instruction.Remember at each in instruction corresponding to use in the future.

5.2.9 the random cross connection of *.If realizing current is not SSA form, then code is converted to SSA form (see ).Owing to the use of SSA form, be known as the following instructions producing identical output can be assignment, produces the non-of identical output from being known as assignment directive gets their input.

Owing to , with the conversion of middle application, many instructions belong to static state and are known as the right of the identical output of generation.Such situation is mentioned in these joints, has the note of interpolation: the information about so identical output should retain for using in the future.We utilize the information of this preservation now.The quantity of copy is always 2: two for data flow replication, two are copied (because control and be all applied to them both data flow replication for the control flow check of deriving, but only example of the calculating that control flow check copies occurs in the described realization of execution), and two are inserted for " come-from ".

There are two kinds of modes, wherein realize in SSA form instruction to can be known as have with , with the result come to the same thing of action.Two instructions can be data flow replications each other, or two assignment can have the input of the data flow replication be known as each other, and this control flow check owing to matrix mapping calculation copies.

Order be such to instruction, it is known as on the basis of the information of such preservation has identical output, each get k input, if wherein instruction is base instruction (such as, NEG or MUL), then k is one or two, and the matrix that model-following control stream copies is mapped assignment is two.

With probability, it is right that we overturn as follows the use exported: for consumption export each instruction of (if any), we modify alternatively to get to it export, and vice versa.

We are for each possible so right repeat this, until there is no such overturning still considering.

The effect of this conversion is as follows.As the result of data flow replication, except realize start very much and terminate except, data stream is divided into nonoverlapping two unique subgraphs of determining.After random cross connection, these two data flow diagram are thoroughly merged into individual data flow graph.

5.2.10 * checks insertion.If realizing current is not SSA form, then convert thereof into SSA form (see ).

As in random cross connection such, we continue through be known as have with owing to , with in the instruction pair of the output come to the same thing that copies of the value of process, be also .

As , such instruction can be base instruction or assignment, and we use definitely identical criterion come as in identify like that so right.

One after the other selection has owing to step , with such instruction pair of the known identical output copied produced, until each to being only selected as.

For each such instruction pair, be also , from not being used as such process before 's all selections in as one man select single instruction at random if, or there is no such selection, be then used as such process before comprising those all selections in select single instruction , make be by the two domination.If (do not have so at all exist, then do not process further right: to proceed to down a pair simply, if or do not retained, then according to this section termination.）

Order be respectively output.Closely follow ground, places code to calculate , and make all importers alternatively input .(because , so we should have , so this should not have net effect, unless assailant distorts code).

Continue such process, until all like this right only be selected as.

(combine 's inspection helps prevent branch to disturb; If centering member is modified and does not revise another, then another helps defeat upset attack by making downstream calculate fault.）

5.2.11 code conversion.If realizing current is not SMA form, then convert thereof into SMA form (see ).

Get each binary arithmetic, it calculates

Wherein, be or one of, and replace it with the calculating for following algebraic simplification

Or equally, carry out replacement operation with following algebraic simplification

Make each arc for producer being connected to consumer, the coding of the value of generation ( function) mate the coding (wherein, coding inverse be employed) of consumer hypothesis.That is, perform network code (see ).

More than export with making comparisons or conditional branching or input time, it must be identical relation coding.In addition, in original program, the expansion of any output that the last output as recodification macro instruction obtains or recodification macro instruction can not be revised further; That is, RECODE is taken as and carries out plaintext calculating, and its output can not be encoded.Initial input and last output also use identical relation coding.That is, any output of function that reprogramming calculates by its code conversion is left is not encoded.

When input is constant c, use certain constant replace it, and come from coding as it the producer producing it equally processes it.

Sometimes can not make all producers and consumer be coded in they should each place mate.When this occurs, use output encoder and input coding produce, and insert on arc to manage conflict.

According to the scheme selected for this object such as described in joint C, each be on dijection quadratic polynomial (PP) function, or such PP's is inverse.Let us is simply referred to as PPS.Because PPS only relates to multiplication and addition, so PPS can be calculated as a series of affine step, we suppose that this is present situation.

5.2.12 register minimizes.If realizing is not SMA form, then convert thereof into SMA form (see what p.30 go up ).

We obtain the conflict graph for the life span in register now.(namely life span is produced in value, outputted to register by instruction) time start and do not make wherein the further use to this value some place (, upper this value once exported by instruction be used as input and this value is placed in a register and use between it, register be there is no to middle change after) terminate: namely, terminate after the last consumer being connected to consumer by data arc has completed execution.If two life span are located to start different producer and have all been started and the point that in them, neither one has terminated, then two life span conflicts at its place both in commission existing.

If be node and if this can be considered as wherein life span by us and only have life span conflict arc just to connect the figure of two nodes.The importance of figure is, if two life span conflicts, then their produce value must be stored in different register, and if they do not conflict, then their produce value can be stored in identical register.

VM allow the register of uncertain quantity (in any speed---in them individual---good), but our object is that the quantity of register is maximized with the ambiguity by making many different operatings use same position increase the value of shuffling by storer potentially.

From figure minimum number node, we once remove a node i.e. their incident arc, until all nodes are removed.Then our any arc of reinserting them with reverse order and being removed together with them is their mask registers when we reinsert them.This is the variant on the algorithm of Chaitin, and trends towards trending towards in the meaning of minimum number, produce effective graph coloring (that is, register distributes) in the quantity of unique color (register).

To retain life span information and conflict graph for p.53 going up in use further.

5.2.13 * storer shuffles.If realizing is not SSA form, then convert thereof into SSA form (see what p.29 go up ).

Comprise memory array A in the implementation, it comprises individual binary word, wherein (see what p.47 go up ).

In code, mark realizes affine maps or continual command to all examples (this depends on which instruction is before other) of (MUL, ADD) or (MUL, SUB), wherein with be constant inflow and x is non-constant inflow, and wherein or MUL be the output of input ADD or SUB only have instruction or vice versa, and wherein affine output valve y is follow-up is used as input by some other instructions.Once such to found, just from further considering middle being removed, but continue until all like this to being found out.Claim these to for .Note, each like this to only having single non-constant inflow x.

With value be associated, when these values are initial, all equal 1.

Traversal .Each place, with probability changes the value to 2 of each traversal.Traversal value is 2 , with probability changes the value to 3 of each traversal.Traversal value is 3 , with probability changes the value to 4 of each traversal.

At this some place, for each right , existence value K, has and belongs to set value.

Definition as follows.Order be the quantity can inserting the point of overstepping one's bounds fork group instruction at it in the life scope of right output (y is calculated by above affine maps), if described overstepping one's bounds fork group instruction is inserted into, then it will in life scope.

Definition as follows.Order be the radix of the maximum instruction set of overlapping life scope (namely, or in life scope, or start life scope by exporting its value, or by consuming the path that its value stops in life scope), make do not have member to arrange another member any in set.This estimates " width " or path tuple in life scope.

For as right each such life scope of y of output, using as 1 with the probability of middle smaller is selected each some place in scope instruction can inserted as mentioned above at its place, to make wherein quite common situation in, y export life scope in there is anticipated number individual such institute's reconnaissance.Order for the set of given life scope institute reconnaissance is , make expectation value= , wherein .(certainly, actual value may be different.）

As given a definition .Right y export life scope in, significantly, input this y export each instruction (be also ) by producing arranging member of y output: this is called m to member.If for each like this , exist , make m arrange s, s and arrange again , then .Otherwise .

Our notice is restricted to for it by now those are right .For each like this right , we distribute new set in A index, (see ), make with each member there is its oneself the index of assigning.For given right index set only has their correspondence y export not by conflict graph arc connect (if that is, their life scope is not overlapping, see ) just may with under the overlapping constraint of another right index set, Wo Men between reuse index as much as possible.

It is right to remove ---(MUL, ADD) or (MUL, SUB)---replaces it by RECODE, STORE, LOAD, RECODE sequence.An input is mapped to an output by each RECODE, and therefore we recode to value in each storage and loading.So, there is sequence , above last RECODE is arranged , wherein , input is removed the instruction that exports of y, and sequence its sequence of each element predominates.As a result, we get the x input of the sequence be removed, and map it, and anyly it to be delivered to by 2 (k+1) individual RECODE .We revise last RECODE and make the net effect of a series of recodification be to y extremely there is provided by the input coding of expection, that is, we introduce calculating by the last coding in amendment sequence fraction.We are for all instructions repeat this, once intermediate code is selected, just never change it (because of some may appear to multiple y consumer path on); That is, if the recodification for a routing, then not for another overlap path and change them.

We are as above for for it each right and continue.We then realization is converted to SMA form (see ), and expand all recodification macro instructions.

5.2.14 stochastic instruction resets sequence.If realize be not SSA form, then convert thereof into SSA form (see ).

Guarantee that first redundancy MOVE instruction is omitted (see ), as middle use resets sequence to instruction based on the partial ordering of correlativity like that to the topological sorting of its instruction in each BB.Follow-up of the radix of the instruction during sorting, this is follow-up is as one man selected at random.

5.2.15 last removing and code abreviation.Run time version abreviation (see ), be branched off into branch abreviation (see ), and not with code eliminate (see ).

Execution register minimizes (see ) to make the quantity of register (temporary variable) minimize, but do not attempt change shuffle array A(see ) in the quantity of position that uses.When having minimized, code has been SMA form.

Launch this code.

6. transparent box mark III

Mark III proposition be different from mark I(see ) and mark II(see ) proposition because it has variable inner structure, in the inner structure that this is variable, both coefficient and structure change between basis function realizes pair.

As before, main media be the function of picture password or the Hash formed reciprocal centering according to algorithm realize reciprocal right, belong to the so right of very large series, wherein accurately to determine by algorithm and (typically large) both key K.Except key information K, form right algorithm consumption stochastic information R, its be used to specify do not affect on external behavior and only affect the realization of inter-process those obscure aspect, realize this external behavior by this inter-process.

6.1 design concept.We expect that mark III is with in this environment, in this context, realizes being exposed to white box and/or the attack of grey box, and in this context, utilizes the operation of the application of mark III to relate to the communication of across a network.

6.1.1 security refresh rate.In order to effective application safety life cycle management, application must resist attack on continuing basis.As the part of this opposing, we expect that such application is upgraded certainly in response to the security refresh message comprising security update information.Such upgrading can comprise the relevant information of patch file, table replacement, new password key and other safety.

The feasible rank of security is such rank: in the application, and security is enough refreshed continually, and the time that the time that the security damaging example will be spent refreshes cost than the security making infringement invalid is longer; That is, compared with may being typically destroyed with example, they are refreshed quickly.

This can realize at very high security refresh rate place undoubtedly.But, so frequent refresh activity bandwidth consumed, and along with we improve refresh rate, the bandwidth ratio distributing to security refresh message increases, and available non-safety useful load bandwidth reduces.

Significantly, so designing suitable security refresh rate for often kind of application is all needs, because patient expense depends on that context varies widely.Such as, if our expection only has grey box to attack (sides adjacent channel attack) in cloud application, then, compared with expect with us when having white box to attack (that is undertaken by cloud provider office worker maliciously internals attack), we are by refresh rate lower for use.

6.1.2 outside and inner fragility is resisted with attacking.Suppose that our realization is to measure for fulfill , wherein it is T function.Then by repeatedly applying any one in these functions, we accurately can characterize its calculating using bit section to attack.In such attack, the operation of our first these functions have ignored all bits except low step bit, and then ignore two bits of low order, etc., thus the information of acquisition, until reach complete word size (be also, 32 bits) till, at this some place, we have the complete information how showed about function, and it is equivalent to key kknowledge.

This is outside fragility.When attack obtain realize the knowledge of details time, its do like this and need not to realize those details code carry out any inspection, and can be performed as the self-adaptation known plain text attack that black box is realized.

If described right function has with properties, then there is more not serious fragility: each function serves as the specific T function on special domain, and the quantity of unique T function is low.In this case, statistical bucket is attacked and can be characterized each T function.Then, if any inspection also can need not be carried out to code by characterizing similarly in territory, then use self-adaptation known plain text attack, the member that assailant can be right described in complete characterization functional, walk around its protection completely, only use black-box approach.

Significantly, we must guarantee that the effective quantity of unique T function is enough to defeat above attack.(in mark III realizes, every section exists 10 ⁸with last unique T function, and have 10 on the whole ⁴⁰with last T function.）

Present hypothesis realizes comprising the function (each input is depended in each output, and on average, changes an input bit and can change half output bit) realizing full cascade.Exemplifying of inner fragility marks in II realization now, wherein, by realizing at certain some place " cutting ", we can find the son corresponding to matrix to realize (parts), make correlativity rank be accurately 2x2(in this case, parts are mixer matrixes) or 4x4(is in this case, and it is l, sor rone of matrix).Once these are isolated, then the attribute of linear function allows the very effective sign of these matrixes.

This internals attack, because it needs non-black-box approach: in fact it need the inside to realizing to check, is namely static (to determine correlativity) or dynamic (to characterize matrix by the analysis based on the linearity).

As general rule, we can defeat external attack more completely, and force assailant to enter ever-increasing fine-grainedly to internal attack, and the work of assailant becomes more difficult, and the most especially, assailant becomes more difficult and carries out robotization.

The attack of robotization is especially dangerous, because they can provide class to break effectively, this allows all examples of given technology to be destroyed by the instrument that can widely disseminate.

Therefore, the defence that we seek by using inner structure that is variable and that constantly complicate and constantly having more change creates such environment, in described environment

(1) any breaking completely of example needs many sons to break;

(2) son needed for breaks different between example;

(3) different between example with quantity by the structure of the parts attacked; And

(4) protection mechanism adopted is different between example;

Attack robotization is made to become enough large task; thus hinder assailant to attempt it (because within the long duration; cost is set up such attack tool by the time; the protection disposed can move to new technology; in described new technology, the algorithm of attack tool is no longer enough).

6.2 initial configurations: select with .Mark III function has the input and output that width is 12 32 bit words (overall width is 384 bits).Realize forming primarily of a series of section, wherein each section is the example of the intertexture (FII) of index functions.It is the initial and last blend step (it performs when inputting and starting, and for obtaining correlative relationship, and does not consider the CONSTRUCTED SPECIFICATION of the realization under attack) being intended to defeat the attack of blind correlation analysis before and after this series of section.

We will mainly process .In view of the FII method that we know, section is inverse is quite obvious, and by being connected in series with reverse order the inverse of section finds totally be clipped between initial and last blend step with reverse order.

Each such section has left function, uses the chooser of the input identical with left function to calculate and right function.Right function is the nested instances of FII.Therefore, input and output vector is divided into three sub-vectors by each section: enter and exit the part of external left function, enter and exit the part of inner left function, and enter and exit the part of inner right function.We will call a left side these, neutralize right sub-vector.

6.2.1 upper selection matrix.We are selection matrix in two different ways:

General: to be 0 or 1 there is no element and all elements is under unique constraint, upper Stochastic choice matrix; Or

Reversible: according to p.33 going up in the method that provides exist upper selection matrix, but there is additional restraint: and the matrix of generation does not comprise the element with value 0 or 1 and all elements is unique.

6.2.2 the initial and last blend step of *.? in, we provide the technology for using the decision with sorting network topology to come substitutional element sequence or other forms of selection.By with dijection matrix condition of replacing exchanges and each input is mixed into each output, we can accurately obtain identical network topology, and produce hybrid network, when described hybrid network is initial by each input of CB function be mixed with each other, and our network that can in the end adopt another such by each output of CB function be mixed with each other.As the situation for displacement, mixing is not completely uniform, and it is biased and can uses in technology reduce, but again, condition exchange mixed step replace.

6.2.3 the thin sectional input and output vector of *.Below select to be only example: other selections many with the selection of different in width and wider division size are possible.

If for the input sub-vector of section in a specific way by static division, also namely part other 3-5-4 on the right side for left, neutralization, any its exports also by such static division.

Sub-vector length for above permission is three, four, five and six 32 bit words.Because each input and output vector has length 12 32 bit words (384 bit), so it follows being configured to of ten permissions of lexcographical order then downward from left to right:

。

If we number ten configurations above with the order from 0 to 9, then the number for the configuration selected by each section that we generate is selected by rand (10) statically; That is, we as one man select at random when constructing from above ten possibilities.

6.2.4 * selects the sequencing for the input and output of section.Initial input is input to by the first section or , and be therefore that input is unconfined.Similarly, last section to or export, and be therefore that output is unconfined.Therefore, the input of the first section or the output of last section are as one man attached to initial input or finally export at random respectively.

In every other situation, we select the sequencing to the input and output of section as follows.

We notice, for any section, the input of its left input sub-vector is only depended in the output of its left output sub-vector, its input that is left and intermediate input sub-vector is only depended in the output exporting sub-vector in the middle of it, and the output of its right output sub-vector is depended on a left side, neutralized the input of right sub-vector.

Therefore the input of section Y is as one man linked at random its output at front section X by statically under following constraint.

(1) the right output vector of section X exports the link of the maximum quantity of the left input vector input that must have to section Y.Such as, if X is section and Y are section, then the right output sub-vector of X export in three three of being linked in the left input sub-vector input of Y.

(2) the right output vector not being linked to any section X of the left input vector input of section Y under above constraint (1) exports the intermediate input vector input that must be linked to section Y.Such as, when above 6-3-3 X, 3-4-5 Y, the residue three in the right output vector output of X is linked to three in the intermediate input vector input of Y.

(3) retrain (1) and (2) more than meeting after, the the most left of input sub-vector that the middle output vector discharging chain of section X receives Y may input sub-vector, those in the left input sub-vector of wherein Y are at Far Left, those in the intermediate input sub-vector of Y centre between the most left and the rightest, and those in the right input sub-vector of Y are at rightmost.

More than general introduction is: when us, by information, from a sector transfer, to during the next one, we attempt the correlation maximization made input statically.We are guaranteed to realize " full cascade " (making each output depend on each input) all the time after two sections, and the width that we also attempt the data stream making to carry these correlativitys maximizes (therefore above constraint (2) and (3)).

6.2.5 the serial connection of * section. (and therefore ) be the sequence of section.The basic configuration of each section according to selected by static state, and each is linked to statically from original input or from its forerunner .Form (and therefore ) { 5,6,7} is as one man selected at random from set for the quantity of subsequent zones that realizes.

6.2.6 the non-code-change of *.Some some place in code, we use non-code-change.The meaning of non-code-change---no matter it is identical relation coding, uniform enconding or permutation polynomial is encoded---is to be applied to when obscuring or when realizing, it can not change: its existence is semantic part and therefore can not be modified.

If non-code-change is mentioned and not to the appointment of coding, then permutation polynomial is used.

6.2.7 * creates section.Given configuration (such as), we create as follows section (according to Figure 11):

1100 use reversible process, select matrix L, matrix M and matrix R, and the non-code-change of 24 as one man Stochastic choice: 12 are applied to input to these matrixes and 12 outputs (matrix being considered as vector mapping function) being applied to them.These three matrixes of non-for the input and output with them code-change are called function by let us .So, , and be attached to matrix X, , wherein perform non-variable output encoder, and perform non-variable input coding.

1105 use method, select to have corresponding function C's chooser Matrix C, its get with identical input and there is input coding and output encoder ; That is, .(corresponding section will have form chooser---it will be simplified certainly.）

Get two higher order bits of the output of C and add 2 with the iteration count of forming range from 2 to 5.The iteration count of less than this iteration one is the number of scope from 1 to 4, and it is that the output of whole right side function (is got before its output is passed to follow-up section individual input also produces individual output) have directly feed back to its input its input and totally by the number of times again performed.

1110 select chooser function with , each C be similar to above.High-order in these four bits provide the number of scope from 0 to 15, and it provides the rotation counting of scope from 8 to 23 with 8 phase Calais. rotation counting is applied to input, and rotation counting be applied to from output.

When input and output replaced in the next step time, these rotations are not replaced.

1115 select chooser pair , each C be similar to above, it only provides enough arrive relatively and enough arrive relatively, to pass through method, exchange at random control respectively extremely by controlling it input and from our random permutation of output.Eachly compare with about exchange probability generate boolean and determine (exchange or do not exchange).

Around for functional logic sequencing of selecting of s input and output be: initial to rotate, then initial permutation, then input coding, then matrix map, then input/output function ( part functionalities), then output encoder, then export displacement, then finally rotate.When chooser uses during input, its with do identical coding (that is, coding) use them, so no matter any displacement, chooser all the time with do accurately identical order and accurately see identical input.

Note, all above steps for in functional circulation; That is, perform from initially rotating to the last all operations rotated in each iteration.

As a result, simplification is possible: such as, input coding do not need separately for and use the chooser of input complete; They can share identical encoded value.

1125 we continue now by s input/output section and t input/output section ( functional portions and functional portions) the inside FII that forms realizes.

Use conventional method, select that there is corresponding function 's chooser matrix , its get with identical input and there is input coding and output encoder ; That is, .(corresponding section will have form chooser---it will be simplified certainly.）

Get output two higher order bits and add 2 with the iteration count of forming range from 2 to 5.The iteration count of less than this iteration one is the number of scope from 1 to 4, its be s input and output, during an iteration of component loops, functional output (getting t input and produce t output) have directly feed back to its input its input and totally by the number of times again performed.That is, in an iteration of middle s input/output section, all iteration for t input and output are performed, if so s part iteration four times and t part iteration count is three, then t part is by repetition 12 times: for each s part iteration three times.

1130 select chooser function with , to be eachly similar to above .High-order in these four bits provide the number of scope from 0 to 15, and it provides the rotation counting of scope from 8 to 23 with 8 phase Calais. rotation counting is applied to input, and rotation counting be applied to from output.

When input and output replaced in the next step time, these rotations are not replaced.

1135 select chooser pair , to be eachly similar to above , it only provides enough arrive relatively and enough arrive relatively, to pass through method, exchange at random control respectively extremely by controlling it input and from our random permutation of output.Eachly compare with about exchange probability generate boolean and determine (exchange or do not exchange).

Around for functional logic sequencing of selecting of t input and output be: initial to rotate, then initial permutation, then input coding, then matrix map, then output encoder, then export displacement, then finally rotate.When chooser uses during input, its with do identical coding (that is, coding) use them, so no matter any displacement, chooser all the time with do accurately identical order and accurately see identical input.

Note, all above steps for t input and output ( part) in functional circulation; That is, perform from initially rotating to the last all operations rotated in each iteration.

As a result, simplification is possible: such as, input coding do not need separately for and use the chooser of input complete; They can share identical encoded value.

6.3 obscure or realize.Following methods is used to fuzzy program and realizes or , wherein realization has above in the structure that provides.

Conversion below in joint performs one by one, except except pointing out in addition in the main body that saves except these.

6.3.1 remove.? , with in the removing listed perform as required, in realizing at mark II.

6.3.2 the Hash of the unique dynamic value of * inserts and generates. conversion be performed, but use and get all inputs matrix.Otherwise this is very similar with corresponding mark II step.

6.3.3 macro expansion.This completes as in realizing at mark II.

6.3.4 come-from inserting.This completes as in realizing at mark II.Note, in mark III, all control flow check exist to create nested every section cyclic.

6.3.5 stochastic instruction is recoded.We notice, are generating in the intertexture (FII) of index functions adopted in the section realized, and input and output have been divided into width and are by respectively possible irregular group.? with in,

R exports and only depends on that r inputs;

S exports and depends on that r and s inputs; And

T exports and depends on that r, s and t input.

Chooser wherein for the FII between r and s calculates the part being considered s and calculating, and calculates for the chooser of the FII between s and t the part being considered t and calculating.Note, with this consideration, s exports and does not depend on that r exports, and t output does not depend on that r and s exports.

If realize be not SSA form, then convert thereof into SSA form (see ), and remove redundancy MOVE instruction (see ).

We carry out topological sorting to each section self now, mix r, s and t instruction sequence at random thus.

We carry out topological sorting to initial mixing self similarly, and self carry out topological sorting to last mixing.

We are connected in series the sequencing after sequence: initial mixing, section 1, section 2 ... section k, finally to mix.The new relation R of " the front " relation of expression is created in the sequencing of this serial connection.Create new relation in the following manner : as one man remove at every two arcs at random in one, and will retrain with execution and merge to form overall " front " relation, again topological sorting is carried out to whole sequence.

6.3.6 * data flow replication.This completes as in realizing at mark II (see ).

6.3.7 the random cross connection of *.This completes as in realizing at mark II (see ).

6.3.8 * checks insertion.This completes as in realizing at mark II (see ), there is following change: between the candidate for checking arranges, with the candidate of probability selection in current session (depositing in case such candidate), and with candidate's (depositing in case such candidate) after probability selection in section.As this change and in the amended result resetting sequence scheme, with high probability, the whole of section pass through the inspection cross connection of insertion and are caught to depend on each other.

6.3.9 code conversion.This completes as in realizing at mark II (see ).

6.3.10 register maximizes.This completes as in realizing at mark II (see ).

6.3.11 * storer shuffles.This completes as in realizing at mark II (see ).Note, because we have circulation but do not have , so minimally generated, which eliminated some exceptions that may produce in mark II realizes.

6.3.12 last removing and code are launched.These complete as in realizing at mark II (see ).

7. fusion and anchoring techniques

If the right member of reciprocal basis function can anchor to the platform adopting its application and this application to reside at, and if its data and code can form data and the code fusion of the application of its part with it, then its value increases greatly, and meaning is that the border between different types of data or code fogs.

Such grappling and the effect of fusion are:

(1) code and data lifting attack is defeated,

(2) exact position by obscuring border is defeated input point, output point and other borders and is attacked, and

(3) increasing protectiveness code and data and the context code around them and the correlativity between data, distorting opposing by increasing distorting the fragility of lower increase thus.

The data solved and the kind of code boundaries are:

(1) input border, wherein uncoded data must be encoded and taken to from its not protected territory Protected domain (see ),

(2) output boundary, wherein protected data must decoded and taken to from Protected domain not protected territory (see ),

(3) enter border, wherein control from not protected code be delivered to protected and be confused code (see ),

(4) exit border, wherein control from protected and be confused code be delivered to not protected code (see ),

(5) separate confinement, wherein data change into across the mixed uniformly form of the bit vectors that can arrange size the form that the entropy from independent variable isolates more from the entropy from multiple variable, but still encoded, and calculating performs on these variablees of more isolating, and

(6) compound boundary, wherein data to be encoded but the form (being generally included in the result of the calculating such variable) of relatively isolation changes to the form that the entropy from multiple variable is uniformly mixed across the bit vectors that can arrange size from the entropy from independent variable.

Protection is separated and the challenge of compound boundary is, after releasing or the data performing calculating before mixing thereon come from other websites continually, in other websites described, data are also separated into relatively few variable.This allows the variable of wherein isolating by the attack of disturbance, and result is: in mixing with after being again separated, the variable of isolation in response to this disturbance, thus to making the connection of the value of those exposure at disturbance website place at website place of response.

Except above simple admixture, we seek the context by means of interlocking techniques, code and data being anchored to them, comprising:

(1) data related coefficient, the data stream at some the code website place wherein in code is provided for the variable of design factor, and described coefficient controls the coding at the code website place of the follow-up execution in code (see below ), and

(2) there is cross-check and intersect the data flow replication of capturing, wherein some part of data stream is replicated (but having different coding), data streaming link is exchanged between copy, and inject and calculate, if copy matches for their uncoded value, then this does not have net effect, but if copy fails to mate for their uncoded value, then this causes calculating failure observantly or degradation

(3) data stream worsens and repairs, and wherein mistake is injected in data stream at some code website place, and these mistakes are repaired at the code website place of follow-up execution,

(4) control flow check worsens and repairs, run time version is wherein only had to need to be in correctly executable state, as long as it guarantees the correct enforceability of succeeding state as its part performed---in fact, there is the correctness window comprising the movement of current run time version, and code worsens when leaving except being repaired before entering---via arriving such as routine variable, the change of the data of situation index etc., to avoid problem intrinsic in self modifying code, namely, all deteriorations like this should affect the data instead of actual code self that use in the controlling.

(5) blackboard is shared, wherein multiple code segment utilizes the example of dynamic data recognition coding, the storage and the lasting data shuffling that wherein dynamically solve and recoding is shared between multiple code segment, makes the more difficult data stream being subordinated to a separation code segment in the data stream of other code segments of assailant

(6) parallel function, code wherein for performing certain function interweaves with the code performing other functions one or more, make two or more functions by single control line journey executed in parallel, this (combined with other technologies above) makes the code be separated for two functions be possible, and

(7) subset group and section, wherein our group of deployment and section control flow check protect functional subset of patent (US 6,779,114), and comprise switchable very large routine, multiple routine assembles is become single routine by it.

7.1 data related coefficients.Check be used for the inverse equation of permutation polynomial (see , with , we notice that multiplication ring is inverse and (current computer are typically at word ring or ) on) be widely used.(they are the dominators in equation midsplit type: such as, mean and mean 's , wherein be multiplication ring inverse.）

For the machine with w bit words, with make two numbers, wherein be the multiplying operation in ring, that is, it is the multiplication of two w bit-binary words, wherein as in C and C++, ignores overflow.

Although we can find so inverse by calculating by adopting the Euclidean algorithm [15,26] of extension, this is less desirable, because this algorithm can easily identify.Therefore, we need other means to convert some in the entropy that provides of input data the selection of the random coefficient for permutation polynomial to.

We remember, the method along these lines selects number in advance randomly:

Wherein each be scope from 3 to odd number in (inclusive), all in pairs unique, and do not exist in lists right make .We will also adopt their multiplication using the Euclidean algorithm of extension above-mentioned to find in advance inverse

。

Then for the product c of the bit of any random non-zero word value v, we the choice for use v that select from the early stage calculating in CB function: if be set up in v, then in the product.These give the product from 1 to w factor, it is inverse by reusing v to find: if bit be set up in v, then provide inverse product in.

If w=32, then this gives very a large amount of potential coefficients and inverse coefficient to us.In fact, this quantity is so big, to such an extent as to we can select the part only using v---and namely, replace w by certain less number and there is lesser amt inverse with them---it may remain enough: 18 bits replacing 32 will allow 200,000 coefficient+inverse coefficient on select.

Note, we provide only the means for generating strange coefficient.The coefficient of other kinds more easily generates because or we only need their addition inverse (even element do not have multiplication inverse).In order to be generated as the coefficient of even number, we make generated value v double simply.In order to create the coefficient that its square is 0, v logically shifts left by simply (that is, we are multiplied by individual position , wherein overflow is left in the basket).

7.2 for the trickle control of encoding strength.In current code conversion, there is the setting being called data stream rank and control flow check rank, it runs to 100 from 0 under normal circumstances, thus instruction should carry out how strong coding to data or control flow check.

Traditionally, the mechanism that fine granularity controls outwardly for affecting this has two variants:

(1) the unexpected difference in the behavior that some the optional network specific digit threshold value place in data or control flow check rank occurs, makes below threshold value, do not apply certain conversion, and more than threshold value, applies this conversion, and

(2) different for the fine granularity performed on certain code snippet in the probability threshold value of certain conversion, make in lower data stream rank, pseudo-random variable may must drop to more than 0.8 and be transformed to cause it, and it only may must drop to more than 0.2 to cause conversion in higher data stream rank.

We are no problem for method (1), but we can improve (2).Problem for method (2) is: just accidentally, and the actual level of realization may not drop near intention rank.Therefore we advise following improvement.

We keep settle accounts the operation of total website that will cover, the operation clearing of the website that covers so far, and have the probability controlled conversion (website comprised) of how many reception and have and how much do not have (website be excluded).When the ratio of the website comprised is below desired ratio, the probability performing conversion is increased to more than its normal value by us, and when it is more than desired ratio, the probability performing conversion is reduced to below its normal value by we.Suitable setting for the degree increasing and decline can be measured by experiment.This can make the effective rate for influenced code area protected with tight tracking desired ratio effectively, but not departs from this ratio due to probability effect.

When the sum of potential website is large, this will have its optimum efficiency.If only there is several website to exist, lack magnanimity Code copying to increase the effective quantity of website, then little fine granularity can be used to control.

This is easily extended to the situation having and select more than two.Consider such as to exist upper (or exist recently on, more powerful platform) permutation polynomial coding use.If we change between the coding without coding or number of times 1 to 6, then the selection that existence seven is possible will cover, and in the middle of them, we assign probability according to the ratio expected.Identical principle application: if we are just obtaining content very little, then we push away on its probability; If we are just obtaining too many content, then its probability is declining by we.

7.3 input and output borders.At input boundary, uncoded data must be encoded and be taken to Protected domain by from its not protected territory.At output boundary place, protected data must be decoded and taken to not protected territory by from Protected domain.

This be for the encoding strength disposed for data stream control (see ) correct position.Measure the data stream distance in the multiple figure arcs in data flow diagram, wherein value is produced the operation being operationally connected to and consuming it by arc, and we continue as follows.

(1) protection is in the realization at intensity (the usually quite high) place that it is selected.

(2) for both input border and output boundary, protect away from realizing inner operation the operation of individual arc, described operation has the intensity weakened, until reach the normal code shift strength of code around.

This requires that we can measure such distance, and this requires additionally to support to add such selectivity range information from some of code converter, and pass through as such control coding intensity of general introduction responds to it.

The supplementary protection being applied to I/O border is data related coefficients; for increasing calculating and the correlativity of code providing input at the basis function place of entering, and for increasing receiving calculating that basis function exports and providing the correlativity of the code in those realizations exported and shared blackboard (if data can be passed through to enter via shared blackboard and leave---example of dynamic data recognition coding---, assailant follows data stream in order to these data much more difficult).

7.4 enter and exit border.Typically, realize at its place receiving its point exported immediately following the point controlling to enter realization at its place, and the point realizing at its place providing it to export is tightly before its place controls to leave the point of realization.

As a result, exist in protection also protect and enter and exit border.But this realization typically will have stronger control flow check protection than the code of conventional code conversion.

Therefore, to entering, execution is fine-grained progressively to be increased progressively and progressively weakens the execution of exiting of control flow check rank our needs.Here the tolerance that we adjust the distance is the estimate amount of FABRIC or the machine code instruction that will perform along the shortest path causing inlet point (for entering) or leave exit point (for exiting), wherein carries out fusion for the distance for for example 100 or 200 command units of each entering and exit.

This will be that excellent position is worsened to dispose control flow check and repairs; with by near the code that enters with protectiveness enters code and protectiveness exits code and is tied from exiting the code moved away, be increased in protectiveness enter and exit near in protection level.

7.5 are separated and compound boundary.The general situation that wherein we meet with separation and compound boundary is such situation, wherein structurized data with slightly encode or uncoded form from realization export, or slight coding or uncoded structural data enter realization, or the calculating that makes a decision that a part for realization of the present invention wishes to hide for sandwiching us.

The effect be separated and/or mix is that we have after releasing or before mixing potentially by the data exposed to the open air, thus produces the point of attack.Hide, except in covered for outside the relevant protection of these situations, we need for we need be used as to be separated or mixed function basis function between the stronger protection of any calculating that sandwiches.

If determine based on inspection password or some similar comparison of equalizations, then our strong preference method as the optimal selection protected for it.But we are seldom so lucky.

More common situation is that we need to perform some algorithms, some compare, some are by bit Boolean calculation etc.In order to these, we recommend following protection (see ):

(1) first and most important, there is data flow replication that cross-check and intersection capture for rolling up at Initial basic function and determining code and determining code and the data dependence finally between basis function;

(2) word of data stream related coefficient uses: determining that the coefficient in block is arranged by front basis function, and the coefficient in basis function is subsequently arranged by the code determined in block;

(3) shared blackboard (dynamic data recognition coding array) is used for from Initial basic function to decision code and from determining the communication of code to last basis function as the use of website; And

(4) if possible, parallel function, makes to determine that block code uncorrelated with other mixes, and makes assailant be difficult to analyze and distinguish from code, with described code, and its parallel computation by their calculating of intertexture.

7.6 generally protect.Some protection can each boundary and between the boundaries application so that protecting code in the context that is deployed of basis function wherein further, namely control and data stream worsen and repair, parallel function and subset roll into a ball and section.When feasible, the analysis difficulty that these protections added will increase faced by assailant, particularly, they are high costs by presenting the infeasible and performance analysis of static analysis.

7.7 exemplary protection scenes.Data are provided with the form of encoding via basis function, make information coated across its whole state vector.The data of therefore encoding comprise

(1) 128 bit keys

(2) have 128 Bit data structures of various field, some fields are only a few bit width, and a field is 32 bit widths, and some fields are up to 16 bit widths.

Calculating will be performed the field of data structure and be performed the information on current platform, as its result, or key by with for form be delivered (instruction current platform information add that the data structure of sending causes discharging the decision of described key) or with the meaningless string of key formed objects by show as still in fact the form of failure being delivered (data structure of sending causes not discharging the decision of described key to indicate current platform information to add).

The target of assailant is acquisition 128 bit keys, and regardless of the content of field and the information on current platform.The target of defender guarantees that key is still delivered correctly when "Yes" determines, unless the realization of defender is tampered, but determine wherein by be "No" when not distorting situation in, key is that assailant is unavailable.

This captures the main fusion needs of protection system: existence inputs, export, enter, exit, be separated and compound boundary will be protected.

7.8 realize protection with fusion.Here, we are for such as arrive middle proposed p.67 going up the protection scene of middle description, passes through the subset starting to list is rolled into a ball and section describes from data stream related coefficient realization protection.

7.8.1 configuration is started.We start to configure comprise protection system core code converter intermediate representation, comprise application input 256 bit value (comprising the key that 128 bits of coding form are encoded) to its 128 bit X256 bit functions, and 128 Bit data structures and application from its receive for the key of 128 bit different codings.

This core comprises:

(1) 256 bits are entered 256 bit basis functions, it accepts wherein entropy 256 bits across whole 256 bits mixing, this is decoded as and has the encoded key of 128 bits (by certain other 128 bits 128 bit basis functions are encoded in advance) structure and there are the 128 Bit data structures of extended field of level and smooth (uncoded) form;

(2) block is determined, it accepts 128 Bit data structures and 128 bit keys, the field of 128 Bit data structures performs calculating, determine whether discharge key, and provide the encoded key of 128 bits self (if determine be " continuations ") to the second basis function or use the value of key and formation as the further information of the 128 Bit data structures in entropy source, and to the 2 128 bit 128 bit basis functions provide the insignificant value of encoded key or same widths;

(3) 128 bits are exited 128 bit basis functions, and the key returning the different coding used in some white box cipher functions (such as, AES-128).

Enter and exit basis function according to mark III determine (see ) construct.It is inline code that this core comprises in routine at it; That is, it is not entered not returned by routine by routine call yet and exits: contrary, around functional be included in comprise functional around this and this core routine in.

The combination of core and application is called as program.

7.8.2 * segments section input and output vector.Following material is exemplary: more extensively select existence.Here, we select the intertexture of double recursive index functions, thus produce the three parts divisions to section.Also can be substance recurrence (two parts division), triple recurrence (four parts divide) or rank n recurrence (division of (n+1) part).

? in, the I/O vector divided for marking at 12 words wide (384 bit I/O) in III realization provides.According to more than, we have, and 8 words are wide enters basis function and 4 words are wide exits basis function.It is broken down as follows that we will enter section:

。

If we number four configurations above with the order from 0 to 3, then the number for the configuration selected by each section that we generate is selected by rand (4) statically; That is, we as one man select at random when constructing from above four possibilities.

For exiting basis function, section is subdivided as follows:

。

If we number three configurations above with the order from 0 to 2, then the number for the configuration selected by each section that we generate is selected by rand (3) statically; That is, we as one man select at random when constructing from above three possibilities.

7.8.3 * distance metric.We utilize the measurement of the distance inputting and output to from core operation from operation to core.There are four tolerance: two for data stream distance and two for control flow check distance.

---------------------------------------------------------

* data stream distance.We collect down to-200 transmission range and upper to+200 output distance.Exceed this point, we can ignore larger distance, and apply heuristic to avoid and calculate them.

Each computations in core and the distance of core are zero.(computations is the one or more value of input or the instruction exporting one or more value.）

The distance of each other computationses (CI) and core is negative (if it provides the value affecting the value consumed by core) or just (if it consumes the value affected by the value that core produces).

We suppose, for most of part, the two is not true; That is, core not wherein core repeated in the body of the circulation adopted, or it is in the circulating cycle, but the abundant extension of this circulation to such an extent as to we can ignore be fed in core by any information of output impact performed from core before.But instruction can reside in can not only before core performs but also in the routine called afterwards, in this case, data stream distance comprises its transmission range and it exports the right of distance.

Transmission range is determined as follows.

If it is be that (as data stream edge (namely core accepts described direct input for the value of direct input to core to the value of the direct input of core or loading that CI exports, as " virtual register ")) or store the input that loads from storer of core, then its transmission range is-1.Otherwise,

If it is (and to be both also called afterwards before core owing to as mentioned above instruction within the routine to the transmission range with-k, and also may to be that CI x exports output distance) the value of direct input of y CI, or x is loaded as the value that inputted by such y or stores the input that such y loads from storer, then its transmission range is-k-1.

When above consider to give instruction multiple unique transmission range time, closest to zero that be correct.

Exporting distance is determined as follows.

If it is be that (as data stream edge (namely CI accepts described direct input for the value of direct input to CI to the value of the direct input of CI or loading that core exports, as " virtual register ")) or store the input that loads from storer of CI, then its transmission range is+1.Otherwise,

Export distance k(if had and be both also called afterwards before core owing to instruction within the routine as mentioned above, also may be transmission range) CI x to export be the value of direct input to y CI, or such CI x is loaded as the value that inputted by such y or stores the input that such y loads from storer, then it exports apart from being+k+1.

When above consider that giving the multiple uniqueness of instruction exports distance time, closest to zero that be correct.

This tolerance ignores control flow check completely.The loading for this object is considered to value link order.Routine entry instruction to the variable input in routine is considered to the storage instruction for this object.

---------------------------------------------------------

* control flow check distance.We collect down to-200 enter on Distance geometry to+200 exit distance.Exceed this point, we can ignore larger distance, and apply heuristic to avoid and calculate them.

Instruction is considered as being connected by the directed arc in the controlling stream graph of program by we, there are two outer arcings (if test condition is true or false, then be directed to follow-up) conditional branching, and having by controlling the multiple follow-up index branch (case or switch statement branch) of index selection, described control index is tested for the case label of control structure.。For routine link order, by determining that it is follow-up from the website of its calling routine; That is, they are can immediately following all instructions performed after returning from routine, and link order is considered to return the index branch of rear instruction to those.

Any instruction in core have with core be apart zero control flow check distance.As above, we suppose without circulation scene, any circulation wherein relating to core be enough large scales and enough few occur to allow us to ignore it.But when control flow check distance, instruction can reside in can not only before core performs but also in the routine called afterwards, in this case, control flow check distance comprises it to enter Distance geometry it exits the right of distance.

Entering distance is determined as follows.

If instruction has successor instruction in the core or has the branch of destination in the core, then it enters control flow check distance for-1.Otherwise,

(and to be both also called afterwards before core owing to as mentioned above instruction within the routine if instruction x has the control flow check distance that enters that tight successor instruction y, y have-a k, and also may to be exit control flow check distance), or the branch of x to be its object instruction be such y, then it enters control flow check distance is-k-1.

When above consider that giving the multiple uniqueness of instruction enters distance time, closest to zero that be correct.

Exiting distance is determined as follows.

If kernel instruction have core external successor instruction or there is the branch of the object instruction at core external, then this instruction of core external have+1 exit control flow check distance.Otherwise,

If the control flow check distance that exits with+k (and to be both also called afterwards owing to as mentioned above instruction within the routine, and also may to be before core enter control flow check distance) instruction x there is tight successor instruction y, if or such x be branched off into instruction y, then y has and exits control flow check distance for+k+1.

When above consider that giving the multiple uniqueness of instruction exits distance time, closest to zero that be correct.

7.8.4 remove.? , with in the removing listed perform as required, in realizing at mark II, not only for entering and exit basis function realization, and for determining block and application.

7.8.5 the Hash of the unique dynamic value of * inserts and generates.Replace every basis function to perform conversion once (that is, for enter function perform it, and individually for exit function perform it), sometimes before calculating enters basis function, we use matrix performs this conversion in application, described in the input of matrix is data selection available from application.We use it to create the array for dynamic data recognition coding, and it will serve this application, enter and exit basis function and determine both blocks, make them all use a shared blackboard.

7.8.6 macro expansion.This completes as in realizing at mark II and mark III.

7.8.7 come-from inserting.This completes as in realizing at mark III, but is extended to each branch with 100 or less absolute values entering distance with core apart or exit distance; Namely its well extension exceed the restriction that transparent box in core realizes.

7.8.8 * control flow check worsens and repairs.As the part of code process, representative is flattened: branch label is made in the destination in the structure as switch statement, and by being branched off into this switch, arriving destination to its index transmitted corresponding to being directed to the switch case label expecting destination.

This should complete for all codes in the core or in fundamental block, and described fundamental block has any instruction entering distance with core apart or exit distance, and described distance has the absolute value of 100 or less.

We consider will in variable the manipulative indexing of the destination of middle storage, described variable corresponds to and represent fundamental block in controlling stream graph the node of (enter via label and via last branch, return or call and exit).

Before flattening, we use total bijective function under following constraint ( ) be marked at each fundamental block worsened in district randomly.

(1) if fundamental block can be withdrawn into , then its mark function has , attribute.

(2) if two unique fundamental blocks all can be withdrawn into block , then .

(3) if fundamental block block can be withdrawn into , then at Qi Chu point quantity by following come upper control limit: by being withdrawn into four times of quantity of object fundamental block of any fundamental block process.

After flattening, each fundamental block making for its forerunner's have ( ) state in variable enter together.(state that it is not intended variable is correct, and only means that they agree to forerunner's ).Then continuing to exchange variable makes for each variable, ---this variable almost therewith entered beyond doubt is different state, but in view of constraint, the quantity of change has rational gauge.

Therefore, before when reaching fundamental block last, variable is that other normally inaccurate modes correct but most of correspond to destination with current destination.

7.8.9 stochastic instruction resets sequence.We notice, as in generating at the section realized in the intertexture (FII) of index functions that adopts, input and output have been divided into width and are by respectively possible irregular group.? with in, for entering and exit each of basis function:

R exports and only depends on that r inputs;

S exports and depends on that r and s inputs;

T exports and depends on that r, s and t input;

Chooser wherein for the FII between r and s calculates the part being considered s and calculating, and calculates for the chooser of the FII between s and t the part being considered t and calculating.Note, with this consideration, s exports and does not depend on that r exports, and t output does not depend on that r and s exports.

If program is not SSA form, then convert thereof into SSA form (see ), and remove redundancy MOVE instruction (see ).

We now to enter and exit basis function each in each section self carry out topological sorting, mix r, s and t instruction sequence at random thus.We carry out topological sorting to initial mixing self similarly, and carry out topological sorting to the last mixing self in each basis function.We are equally to application with determine that each fundamental block in block (launching without any branch or routine call or the straight line of code that returns) carries out topological sorting.

For entering and exit each of basis function, we are connected in series the sequencing after sequence: initial mixing, section 1, section 2 ... section k, finally to mix.The new relation R of " the front " relation of expression is created in the sequencing of this serial connection.Create new relation in the following manner : as one man remove at every two arcs at random in one, and will retrain with execution and merge to form overall " front " relation, again topological sorting is carried out to whole sequence.

Instruction for program resets sequence and completes now.

7.8.10 * has the data flow replication of cross-check/capture.For these conversion methods as mark II in (see , with ), mark III in have amendment (see ), but it also completes for extracode section.

Particularly, except it is entering and exit except the normal use in basis function, we also perform these conversion for the data stream in decision block, comprise information from the transfer outputting to the input determining block entering basis function, and information is from the transfer outputting to the input exiting basis function determining block.

Exist to the further change of these steps for we fusion scene (see ), cover in the next section.

7.8.11 * determines to hide.In decision block, the field of 128 bit architecture is examined, calculating is performed to them, and passes through-unsuccessfully determine be reached and be delivered as value.We copy some in these calculating, make by a pair arbitrary constant with one of form signals be generated at least eight times.Code conversion is unique by making these values look like.

Because they are copies, be applied to them so cross-linked with cross-check.Particularly, we can suppose that they will produce , and on this basis, when the data character stream in key be input to exit basis function time to this data character stream executable operations, described in exit basis function by time cancel but in failure time do not cancel.Cancellation value can utilize self-structure further value (if cancel, then also cancel).

This with as in cross-linkedly to change making key confusedly in the mode that data are relevant with the combination of cross-check, as long as but the decision block made with high probability structurally test is directed to " failure " to be determined, be just delivered to the application code of following and exiting basis function with the insignificant value of key formed objects.(the method with in password checking technology be correlated with).

7.8.12 code conversion.This completes as in realizing at mark II (see ), but there is following change.

We divide protection level as follows:

(1) the finite ring protection of linear mapping is used.

(2) the permutation polynomial protection of quadratic polynomial is used;

(3) 2 phasor function matrix protections of quadratic polynomial element are used.

Code is in the core strong with rank 3() protection.Code outside the transmission range with the absolute value being no more than 100 or output distance is medium with rank 2() protection, and the remainder of application is weak with rank 1() protection.

In addition, code conversion utilizes data related coefficient as follows.

(1) guiding until enter the constant obtained in the application code of basis function to be arranged on 1/8th of the coefficient entered in the code conversion of basis function.

(2) enter the constant obtained in basis function be arranged on determine block code conversion in coefficient 1/4th.

(3) determining that the constant obtained in block is arranged on 1/4th of the coefficient exited in basis function.

(4) exit the constant obtained in basis function be arranged on from exit basis function receive export application code coefficient 1/8.

7.8.13 register minimizes.This performs as in realizing at mark II (see ), but for whole program.

7.8.14 * dynamic data recognition coding (storer shuffles).This performs as in realizing at mark II (see ), but impact exceedes the code of core.Particularly, the shared blackboard that storer after shuffling provides is supplied to enters basis function for the input of self-application in future, and be supplied to decision block by from the output entering basis function, and exit basis function by from determining that the input of block is supplied to, and be supplied to application by from the output exiting basis function.

7.8.15 last removing and code are launched.These perform as in realizing at mark II (see ), but for whole program.

Joint A * is by carrying out certification with the equality of chaotic feature

Suppose that we have the application of wherein certification as password: the value provided at G() mate reference value time, namely when time, authentication success.

Our care of further hypothesis ought time can what there is, but when not mating, in any case we only think, Certificate Authority is no longer feasible.That is, when time we success, but if , then calculating further can failure simply.

Certification equality is not by the impact on any harmless function of both sides application: for any dijection , whether we can test equally .Even if damage, if carefully selected make to work as time possibility enough low, also can remain valid (such as, as in Unix password authentication) with high probability to the certification of equality.

Based on the technology described before this paper, we can perform such test simply.Describe before us and a kind ofly defeat the method for distorting in the following manner: duplicate data streams (see ), data stream between cross connection copy instances randomly (see ), and perform encoded inspection guaranteeing that equality is not compromised (see ).

Whether we can adapt the method to test has ---in coding form, whether have .We notice, produce data stream along wherein successful path copy generation data stream.Therefore we compare omitted data stream copy step for this.Then, we only as in like that cross connection and as in insert inspection like that.By these are calculated the coefficient being used as calculating encoded in the future, we guarantee: if , then allly all will normally to continue, but if although calculate further and will continue, result will be chaotic and it is functional by failure.In addition because function, if so , we can affirm .

List of references

Joint C: on polynomial expression inverse to calculate, program element conversion and transparent box password *

In the theory and practice of software obfuscation and protection, go up and more generally exist on conversion play an important role.Transparent box research is not exception.In this explains, we illustrate and calculate given permutation polynomial displacement inverse and on given invertible polynomials multiplication inverse algorithm.To the special polynomial function effectively realized with generally obscure the result that principle cooperates and discuss and present.

We have also investigated upper Polynomial generation matrix as the algorithm of their determinant, and describes and is used in on permutation polynomial and matrix function convert the algorithm of arithmetical operation and data array.These conversion can convert the protection of synthesizing to come for the software operation in general transparent box password setting with existing MBA.Provide example so that new algorithm to be described.

1 introduces and mark

Make N be natural set, and Z is integer item.Order .

The Fundamentals of Mathematics of the ALU of microprocessor are carried out abstract in following algebra system.

Definition 1.For , we define algebra system , boolean's arithmetic algebraically (BA algebraically) or BA [n], wherein represent left and right displacement, represent multiplication, and tape symbol compare with arithmetic shift right position by instruction.N is the dimension of algebraically.

BA [n] comprise Boolean algebra ( ), integer modulus ring and Galois Field .

Note, the very basic requirement of design protection is that realization is easily mixed with application code.Therefore, BA [n] sets up conversion and be called effective ways.We also prove it is enough, because there is the dyscalculia problem of the sufficient amount directly related with BA [n].

-----------

* version: on January 30th, 2012.

C.2 exist on polynomial expression

Order be on function, wherein .If can be expressed as , wherein , and , then polynomial function, or polynomial expression at ring on all polynomial set.

Order be in the set of all permutation polynomials.

Order falling factorial power , wherein .Any polynomial expression can be expressed as , wherein 1.

For , order .? on each polynomial expression can use form unique expression, wherein , and for it but unique integral.Due to this uniqueness, be called as number of times, by or represent.

Note, equal 2-adic rank, it is , wherein s is all numerical digit sums of the i of binary number representation, or the Hamming weight of i.Very useful in these several algorithms in this note.

For on polynomial expression, the upper bound of their number of times makes but number .Suppose n be 2 power and .Because and , so we have .Such as, exist on polynomial expression, the highest may number of times be 33.

Due to in polynomial most high reps be about the fact, with Galois field on polynomial expression compare, it greatly reduces calculation cost.

Ring exists a large amount of permutation polynomial. radix be .1/8th or it is displacement.For , exist respectively individual displacement.

C.3 permutation polynomial

For given polynomial expression, if, and if only be odd number and with the two is all even number, and it is only displacement.Interesting observation represents at falling factorial in, condition becomes be odd number and with the two is all even number.

In this section, we provide calculating displacement inverse efficient algorithm, its also referred to as synthesis inverse.

C.3.1 the preimage (root) of permutation polynomial is calculated

For given permutation polynomial, we have the algorithm calculating its preimage.

Proposition 1.Order be on permutation polynomial.For any set-point , we can provide following steps to find make :

1. input with ;

2. ；

3. the 0th bit be the 0th bit;

(a) for from 1 to n-1 i

(b) the i-th bit be the i-th bit;

4. export .

This calculating is correct, because for permutation polynomial , the i-th bit completely by ? place bit value and coefficient determine.

C.3.2 permutation polynomial is inverse

In this section, we provide calculating in the inverse following algorithm of the synthesis of any given permutation polynomial.

Proposition 2.Order be on permutation polynomial, and to make that its displacement is inverse.Following steps are provided for calculating coefficient.

1. input ;

2. for from 0 to the i of (n+1)

A () inputs with i to proposition ;

B () exports (note: );

3. ;

4. for from 1 to n+1 j

5. export .

The correctness of algorithm is based on following demonstration.Because by (n+2) to value determine, so coefficient can be calculated by solve equation system.

The complexity of this algorithm is .

C.4 multiplication of polynomial inverse function

For on given polynomial function , we wish to determine whether there is multiplication inverse function make for all have and if, its exist words by represent.We also wish to calculate .

Order be in the set of all multiplication invertible polynomials.

C.4.1 criterion

Proposition 3.Order be on polynomial function.

If if 1. and only coefficient in falling factorial power expression formula be odd number and even number, there is multiplication inverse function ;

2. exist middle existence multiplication invertible polynomials;

3. be polynomial expression and can be calculated by effective algorithm.

Prove: significantly, on, if and if only for all , , there is multiplication inverse function.In its falling factorial power expression formula, only coefficient and constant figure in minimum effective bit because for all , 2 remove .If , must be odd number, and if , it must be even number.On the other hand, with these conditions, for all be true.

Efficient algorithm is stated in following proposition.

Proposition 4.Order be in multiplication invertible polynomials.Its multiplication is inverse can be generated by following steps:

1. arrange

，

Wherein it is any polynomial expression;

2. perform recursive equation

secondary to generate new polynomial expression ;

3. will be standardized as the falling factorial that number of times mostly is (n+1) most to represent;

4. export .The accuracy of algorithm is based on following observation: for any reversible element , the Newton iteration used during the course makes in calculating the amount of bits of accuracy aspect double.Use several 8 be because with front 3 bits be identical for all x, this is owing to the following fact: for all odd numbers , with front 3 bits be identical.

Because polynomial expression is closed under synthetic operation, so we have the inverse of polynomial format.

Note, the algorithm with different initial value produces different intermediate computations, and therefore produces diversified code.

The performance of this algorithm is efficient, because it is only got secondary iteration.This symbolism calculates and produces the inverse equation of polynomial expression, and it may be used for calculating inverse coefficient example.

C.4.2 for calculating algorithm

For calculating given multiplication invertible polynomials inverse method owing to the following fact: on any polynomial expression can by value set determine.It is below simple algorithm.

1. get multiplication reversible as input;

2. calculate ;

3. calculate mould inverse ;

4. evaluator coefficient,

A () is based on value set calculate falling factorial form coefficient

B () passes through modulus carry out modifying coefficient

C falling factorial format conversion is become normal mode by ();

5. export .

This algorithm keeps due to following simple fact: .The step of modifying coefficient is necessary, to produce zero coefficient to have the shortest representation needed for effectively calculating.

C.4.3 there is the multiplication invertible polynomials of nilpotent coefficient

? on all multiplication invertible polynomials formation groups, unit group.Its subgroup can be studied for the effective calculating in the nonzero coefficient reducing quantity.Such as, is nilpotent coefficient polynomial against remaining nilpotent coefficient polynomial expression? if so, this can be effective subset.Following result is that we expect.

Lemma 1.Order has nilpotent coefficient : .So:

1. for any , ;

If 2. that multiplication is reversible, if namely be odd number, then we have ;

3. for any integer , set

it is unit group subgroup.

Here be short proof.If we make , then .Therefore, .Similarly, .First result be from on conclusion produce.Second result can pass through Newton iteration process ( ) and the first result prove.In fact, and .By concluding, be polynomial expression and having be not more than the number of times of number of times.3rd result easily checks, this is again owing to the nilpotent attribute of coefficient, and evidence is complete.

The Smalltalk of the algorithm above in son joint is embodied as us and is provided in on the polynomial inverse example of nilpotent coefficient:

1. quadratic polynomial , inverse , it is also quadratic polynomial;

2. cubic polynomial , inverse , it is also cubic polynomial;

3. quartic polynomial , inverse , it is also quartic polynomial.

Explain 1.Nilpotent coefficient condition can pass through but lax.Need more detailed research.

C.5 displacement and the decomposition of multiplication invertible polynomials, factorization

In this section, our research has the polynomial expression of little expression .This is useful, because on general polynomial there is number of times and if high order displacement is used as conversion, then the code after conversion will become inefficiency.In addition, Code obfuscation also can benefit from little expression based on following rationality: small language parts make code diversity and coherency management easier.Note, in the context of data transformation, for inverse with it ( situation in ) the two is all needs, this is found to be is challenging problem.

For given permutation polynomial , it is defined as its weight in the quantity of the nonzero term of conventional polynomial repressentation (in falling factorial represents, we can have less weight definition, but it will be treated differently for printing, because the square algorithm that there is not repetition here works).Obviously, .In order to what have for little expression with the two, it is obvious option that number of times is placed restriction, knownly provides a class permutation polynomial make .On the other hand, find have little with 's be the option finding useful little expression, calculate because there is effective exponentiation, the quadratic method such as repeated.

Polynomial function is decomposed into we provide to find has little expression another means.If , then with be integer factors.For multivariable polynomial, we have similar situation, and it can be the anamorphoser code for arithmetical operation.

Polynomial expression factorization is that we have the third method of little expression.Note, middle exist the about 1/m irreducible function that number of times is m.

Such as, exist on only exist 99 number of times be 10 polynomial expression be irreducible.Fortunately, permutation polynomial ( 1/8) be far from irreducible.Existing mathematical programming makes on any factorization be extended to on factorization (not exclusive), any , and on for as displacement (or multiplication is reversible) system of polynomials said conditions be not restricted to irreducible.In this context, for with , desirable little expression is a small amount of factor, and each factor is the power of polynomial expression and little expression, the little expression (a kind of recursive definition) of described little the expression such as little expression of low number of times or low weight.

Use the example that mixing addition term, compound component, multiplication factor representative polynomial provide another splendid: identical technology groups serves both effectively calculating and software obfuscation object (existing example is the addition chain obscured for RSA key).Because our final goal is for anamorphoser code, described anamorphoser code is the synthesis of three permutation polynomials and arithmetical operation and bivariate polynomial, as end product, we have good opportunity to construct/find a large amount of permutation polynomials of little expression, to have the object code after optimization (general algorithm strain determine---we have some basic thoughts).

In following sub-trifle, we describe the algorithm being used for these three kinds of methods and their mixing.

C.5.1 low number of times or low weight

We have obtained about permutation polynomial enough conditions make with the two has identical number of times, and described number of times can be little.

Here be about the result of number of times, wherein .

Make m be positive integer and make be on polynomial set:

。

Number of times is m and there is 2m-1 coefficient.

We have studied less restrictive condition and for may necessary and situation that is condition fully, but result is complicated based on the theoretical condition of the system of coefficient equation, but it has irradiated some light (details is omitted) here really in so polynomial calculating.At this some place, we use calculating to search for, and if result of calculation can provide further information then to be studied by Renew theory.

Basic calculating algorithm will be applied to and save the algorithm C.3.2 for inverse calculating, and tuning coefficient is to find little expression.

On Galois Field, the low weight polynomial expression of such as low weight irreducible function is studied by calculating.At this Galois ring situation in, we should reuse joint C.3.2 in algorithm, and find those of weight.Coefficient harmonization process operationally occurs again.

5.2 decompose

The decomposition method of the polynomial time on territory (not necessarily limited) is known, but on Galois ring, with regard to our knowledge up to now, does not also find/find compellent general algorithm.On the other hand, the method on territory and thought are provided for the valuable information worked on ring.

Special category be called the polynomial polynomial expression of Chebyshev (polynomial expression of the first kind) be worth us to note.Look back can be defined by following recurrence relation: .The polynomial attribute of Chebyshev is about decomposition: .Interesting observation is the polynomial expression of all odd number indexes be on permutation polynomial.Therefore, the Chebyshev polynomial expression of large odd number index can resolve into low order Chebyshev permutation polynomial.

Note, if and with , then those components with remain displacement.The decomposition reversible to multiplication will be interesting because component not necessarily multiplication is reversible.

C.5.3 with factorization

Given polynomial expression factorization exist place starts.Then, various forms of Hensel promotes and can be selected to upper right factorization.Algorithm in this field obtains studies (except carrying out except factorization multivariable polynomial) well, and we will use existing algorithm.

Most of permutation polynomial is not basic primitive polynomial and has non-trivial factor.Such as, permutation polynomial

。

For any , the Q matrix algorithms of quardratic free factoring algorithm and Berlekamp is for right carry out factorization.Note, we may only have part factorization, find relatively prime factor, with go to next step come right factorization.

The lemma of the Hensel of following form is the lemma of essence of possessing skills.

R is made to be ring and desirable .For any and the making of f in R/I any factorization , exist with make , and in addition, .

Also note, with can directly from bzout identical relation structure.

This process of iteration, we can have expected result.

Note, the factor of permutation polynomial is not necessarily replaced.Another feature is provided in this diversity between variety classes.But it is reversible that the factor of multiplication invertible polynomials remains multiplication.

C.5.4 addition term, multiplication factor and synthesis component is mixed

We know on all permutation polynomials based on function compose operation and formation group .Based on the polynomial ring of ring multiplication unit group all multiplication invertible polynomials set (see joint C.4).

Here be simple but interesting observation:

Proposition 5.Order , there is the permutation polynomial of zero constant term.So .That is, that multiplication is reversible.

Note, 's with coefficient must be odd number, even number and even number respectively.In that format, these conditions make constant term can be odd number, and coefficient be even number.The correctness of this observation follows proposition 3.

Another is observed is hand over , it is empty (if we allow there is constant function, then only comprise odd number constant function).This infers two function sets is orthogonal in some sense.

Get back to (the first kind) Chebyshev polynomial expression set.Before we mention odd number index those be displacement.Easily see even number index (being also the Chebyshev polynomial expression of the second kind of even number index) is multiplication invertible polynomials.Therefore, the polynomial expression of large even index can be based on be broken down into little those, and alternately, it can be factorized into for those reducible little factor.

More research can be completed in this field, comprise the algorithm selecting suitable transform for the object generating the code highly obscured.

C.6 general polynomial expression

For the general polynomial expression as displacement if, and if only condition based on its coefficient sets , then Klimov provides interest.This is for all by using+replacing the polynomial function that computing obtains the same terms, be called yojan polynomial expression.

Because associating law exists in be invalid, so it in fact represent from likely the computing of sequencing and operational symbol+and the set of function of combination producing.

The new result of the interesting condition about single cyclic attributes is issued at the end of 2011: suppose that order of operation is from left to right, that is, having form is function.

Proposition 6.When sequencing restriction and hypothesis do not exist continuously+operational symbol the displacement of single cycle, if and if only it is at ring on the displacement of single cycle, wherein be in the quantity of odd number, it has+the item of operational symbol before them the set of number of times index.

This is interesting result, but it may be large ring.

C.7 matrixing

? on there is predetermined determinant function matrix function construct in this section, for the conversion of arithmetical operation and vector.Below the set of the matrix that we attempt working in:

Wherein it is the multi-variable function on BA [n].

Look back be on the set of all multiplication invertible polynomials.

Explain line for several.The set of matrices of this to be its determinant be multiplication invertible matrix.With predetermined row column, in matrix can based at ring on basic row and column operations construct.Note, also relate to other computings in BA [n], but our " care " multiplication and addition.Canonical algorithm very similar with the matrix on territory below provides more details.

Proposition 7.Order .Order to call oneself context function set function set.Order be from the set of the function generated.Following process is created on on invertible matrix (more accurately, entry ), its determinant is polynomial expression :

1. input: BA algebraically dimension with matrix dimensionality m;

2. from and set a Stochastic choice m polynomial expression ;

3. repeat the finite steps of following process:

(a) random pickup ;

(b) random pickup ;

C () performs row operation at random or column operations ;

4. export: there is dimension 's matrix.

In the algorithm, context function set it is interesting concept.From " similarity " needed for this Function Collection Definition matrixing be admixed in application code environment with seamless. can pre-define based on existing application code form and projection code format. typical case be the set of the expression formula in Code Context.

This concept can also help us in both application and conversion, introduce correlativity between code variables.See example joint D.

Explain 2.Alternate algorithm constructs this matrix by following: have in polynomial upper (or under) triangular matrix formed from diagonal entries and element being formed (or under) entry.The product of these matrixes still exists in.

Explain 3.About in the consistance of inverse of a matrix.There is the application of two types: in application code, be with or without matrix inversion code.In order to transformation vector (data array), it may be dispensable, and calculate can occur at server side because inverse, this does not need Code obfuscation.But it is necessary to keep initial functional to use the matrix inversion operand come in transform operation to be called.

? in matrix serve latter event well because the entry of inverse matrix by from form with polynomial expression (determinant inverse).

Explain 4.Algorithm can be finely tuned based on the execution criterion of the code after the accurate criterion of the code consistency level of definition and conversion.

C.8 block invertible function matrix

In this section, we utilize the reversible attribute of block to construct the particular set of square block matrix, and described piece of reversible attribute will be applied to inside and outside both conversion and all keep the reversible Code Context of multiplication.

Note, this is also the extension of the constant situation structure of application in white box AES key is hidden.

C.8.1 the existence of block invertible function matrix

In this section, we will in even number polynomial expression be called that both the coefficient of its x and constant term are all that the polynomial expression of even number is (with polynomial ring nilpotent Radical relevant).Make subset that multiplication invertible polynomials and even number are also polynomial.So

It is subring .Order is at ring the thought of middle generation .

Easy checking with Z isomorphism: the set of multiplication invertible polynomials becomes odd number, and even number polynomial expression becomes even number.We will see that this homoorganicity will be in territory on building method be transformed into ring .

Note, comprise by unit group with Nilpotent Radical thought the subring generated.Matrix ring it is the content that we work in this section.First, we have following result:

Lemma 2.For given non-zero square matrices , there are two invertible matrix make , wherein D is the diagonal matrix with r individual one and s-r individual zero, wherein .

Lemma 3.For any ( ), there are two invertible matrix make , wherein D is the diagonal matrix with r individual one and s-r individual zero, wherein .

The correctness of these two lemma follows above homoorganicity.For in this polynomial expression subset, the basic thought of construction algorithm obtains very well (even if on BA algebraically, in fact at modulus ring in this work in Jacobian matrix situation on).

The General Transformations of 10 program elements

We describe the method (see next joint, for as the arithmetical operation of main conversion and data array and permutation polynomial, invertible polynomials and matrix) being used for conversion program parts.Note, the method described in this section is in fact the complexity extension of data transformation concept IRDETO/Cloakware data transformation technology.

10.1 conversion processes and configuration

The definition of configuration.In the note, configuration is defined as the state of the variables collection (without computing) related in conversion process.In majority of case, variables collection comprises:

1. the variable in program element;

2. the variable after the conversion of program element;

3. the conversion that represents of their type;

4. the coefficient converted and/or their value;

5. the coefficient converted and/or their inverse value;

6. represent the variable of configuration self;

7. its dependent variable.

Conversion process comprises a series of:

1. input configuration;

2. parts conversion fraction;

3. export configuration.

Configuration management as the major part of conversion process can be represented by finite state machine.Note, the conversion (encryption) of program is more complicated than the binary string being used for password object.

Example, available data converts.

Parts after 10.2 pairs of conversion and the analysis of complexity of program

1. search for the space of likely synthesizing;

2. the complexity of the propagation of the correlativity of the program element after conversion;

3. for the equation system of each example.

11 in the conversion marking the program element in I/ wooden man structure

Based on wooden man detailing requiments, we have the conversion of following program element.

The conversion of 11.1 additions

Order it is the addition that will convert.Basic process is:

1. pair input configuration decoding is with the input expression formula finding out both x and y;

2. pass through in permutation polynomial convert two operands and generate new expression formula;

3. create vector with encoded operand with as other of its entry;

4. pass through in matrix convert this vector;

5. pass through in polynomial expression and/or in matrix synthesize matrix and the decoding of two operands and the coding to additive operation;

6. to converting z application permutation polynomial and result being kept in vector;

7. for the information about coding is kept in last vector by the consumer of addition.

Interface between those steps is the variable array with appointment/difference configuration.

The conversion of 11.2 multiplication

Be similar to above step, only replace addition with multiplication.

The conversion of 11.3 vectors/array

Be similar to adding step, do not have addition to encode.

The conversion of 11.4 additions, multiplication and vector

These three kinds conversion are unified by the selection of matrixing.

13 attack

For permutation polynomial---the expression of simplification.

Proposition 8., then there is (simplifications) and attack HINT in possible attack: if all permutation polynomials can be represented by low order permutation polynomial: to the quantity of the low order displacement in Galois field count with surperficial these be not such attack.

Proposition 9.Possible attack: use value set carry out representative polynomial and synthesize with calculating probability ...

14 annotations

The Java codes implement of algorithm is tested.

The concept of 15 dynamic displacement transformations

In available data converter technique in Irdeto/Cloakware, displacement is used for the operand of transform operation.Such as, additive operation operand u, v and w can pass through linear function convert, wherein a and b is constant (must be the odd number as displacement).In the calculating of code after the conversion, variable is relevant to u and v, only because the computing after conversion has the fixed constant of the coefficient of the computing after as new conversion, such as those of additive operation.Therefore, we by title these be transformed to batch displacement conversion.Note, the data transformation used in the standard common key cryptosystem of such as RSA also can think that batch displacement converts, because private key and PKI become fixed constant to using them at entity to when data encryption or deciphering.

Relatively, dynamic displacement transformation is the displacement with new variables, and described new variables can be incorporated in the calculating context of conversion.Such as, linear function may be used for map function number x.But in this current intelligence, coefficient a and b is variable (having a bit restriction to variable a).In which, the additive operation after conversion will have the new variables (in this case altogether 6) of three set.

Batch displacement conversion is designed to the operand converting each independent computing.These macro transformations have little code size all the time.Although dynamically displacement transformation can be used as macro transformation, it notices that target introduces to connect between the variable for code integrity.Therefore, code size can and should be larger than most of macro transformation.Note, the conversion of these sizes is still in the border of the polynomial time computation complexity about original size.

Dynamic and static state displacement transformation can work together and obscure the rank with code protection with rational code size expansion code.

16 dynamic displacement transformations

? on permutation polynomial dynamic displacement transformation can be used as, wherein the variable with following condition: odd number, with it is odd number.As in static data change situation, displacement is inverse must be calculated.

Except on general permutation polynomial beyond, those the special dynamic permutation polynomial such as with nilpotent coefficient can reduce the size of the code after converting.The inverse equation calculating them [? ] in be known, wherein all coefficients are the variablees in this current intelligence.The such as specific properties of the coefficient variation of nilpotent attribute also may be used for interlocking.

Note not having anything can have some constant variables, as long as permutizer condition is satisfied by the coefficient variation in anti-dynamic displacement transformation.They will promote the synthesis converted with existing batch displacement.

The attribute of 17 dynamic displacement transformations and interlocking

In dynamic displacement transformation, there are two kinds of coefficient variations: conditional-variable, such as exists in a, and unconditional variable, such as b in the above examples.For Code obfuscation object, unconditional coefficient variation can be from the contextual any variable of original calculation, or the variable in any transformation equation.Conditional-variable is more interesting: condition can be synthesized with the interlocking attribute for code protection object.It is because the condition of coefficient variation is the condition of the conversion be used as displacement definitely that code can be protected like this.Therefore, failure condition hint is for the non-displacement transformation of the operand of computing, and the calculating that leads to errors, this is that we expect its mode that can occur when distorting and occurring.

Because dynamically permutizer condition is represented by the attribute of one group of variable, be difficult to distinguish these attributes from source code attribute so become.Also be difficult to calculate coefficient variation set from all variablees code after the conversion.

Except the attribute of coefficient variation, the condition of the correctness of equation also can be synthesized with integrity verification attribute: if condition is destroyed, then it will destroy an identical relation!

Permutation polynomial is also complete to be determined by its root.Except normal coefficient represents, also can use root presentation format.Special root architecture and value attribute also can reduce code size for calculating more efficiently.Note, in this dynamic context, root is variable but not fixed value.Condition for the correctness of root computation process also can be synthesized with checking attribute.

Other dynamic attributes in the process that calculating is inverse also may be used for synthesizing with integrity properties.Such as, for calculating at ring on the inverse algorithm based on Newton iterative of modulus only correctly work for odd number value, this is a good attribute.

17.1 identical relatioies and Dynamic Equation

The equation relating to multiple variable inherently has dynamic attribute: identical relation self.Boolean's arithmetic identical relation of mixing is the example of those equatioies: the destruction of MBA identical relation implies the generation of distorting.

At ring on the reversible Dynamic Polynomial of multiplication one group of equation is also provided .Be similar to dynamic permutation polynomial, the condition about coefficient variation is also provided for the attribute synthesized with integrity verification attribute.The polynomial expression with Special coefficient variable provides the realization of flexible code size.

Dynamic displacement transformation and MBA identical relation synthesize.This can have been come by the variable in conversion equation or conversion equation self.

17.2 displacement T functions

Generally speaking, any displacement T function from boolean's arithmetic algebra system also can be used as dynamic displacement transformation.Can realize by calculating by bit their inverse calculating.An example is vague generalization permutation polynomial.Efficient computer program is remained to their inverse calculating.

Attention: not all program element is all for obscuring necessity.Not the conversion of data variable but integrity code is only synthesized with variable and computing.

18 blocks of data protections

The blocks of data variable of the data structure such as in class or the member in field (1) can use dynamic permutation polynomial to convert: coefficient can be independent data variable; (2) convert with the independent batch displacement of each data variable and synthesize.

List of references

D. the example of the conversion of 2 n dimensional vector ns

Here be about 2 n dimensional vector ns the very simple example of conversion.We suppose that Code Context is:

。

First step is pickup two permutation polynomials to convert X and Y:

With

。

Next step is its determinant of pickup is multiplication invertible polynomials matrix:

。

To the column operations of A

For we provide:

Then, to the row operation of A

Produce

To conversion apply this invertible matrix A, we have the vector after conversion , wherein:

And

Then, we can by comprising any expression formula of any variable of X and Y or the constant in Code Context replaces x, y and z, to inject new correlativity in the code after these conversion.Further code optimization depends on that selected expression formula can become necessary.

E. the polynomial repressentation of bit value is carried

The binary representation of given two number a and b with and and , use bit value , , represent that carrying bit is interesting problem.Recently, development place equation.

For

。

Significantly, above Section 2 is the polynomial repressentation of carrying bit value.Also the similar equation for multiplication can be derived.

Claims (19)

1. a method, comprising:

Receive the computer-executable code being used for existing application;

What identify described computer-executable code stores at least one value at least partially in first memory position;

That revises described computer-executable code is described at least partially at least one value described to be stored in the array that size is M but not in described first memory position, described array has multiple M register position , , wherein by permutation polynomial p, from input produce z based on input vector mapping matrix A defines a series of constant , make .

2. the method for claim 1, further comprising the steps of: to revise described computer-executable code with for each intermediate result be stored in M register, to described intermediate result application coding before intermediate result being stored in corresponding M register.

3. as any method before as described in claim, also comprise: for each intermediate result obtained from M register, to described intermediate result application decoder after obtaining intermediate result from corresponding M register.

4. as any method before as described in claim, further comprising the steps of: to revise described computer-executable code the value being different from the intermediate result of described operation by least one action need in described computer-executable code to be stored in the M register of Stochastic choice from multiple M register.

5. a method, comprising:

Input is received from application;

Definition has multiple M register position , size be the array of M;

Definition substitution polynomial expression p, from input produce z based on input vector mapping matrix A, and a series of constant ;

Perform sequence of operations, each operation provides intermediate result;

Each intermediate result is stored in from the M register of multiple M register Stochastic choice; And

Based on a series of intermediate result, end product is provided to application from the last M register storing end product.

6. method as claimed in claim 5, also comprises: for each intermediate result be stored in M register, to described intermediate result application coding before described intermediate result being stored in corresponding M register.

7. as the method in claim 2 or 6 as described in any one, wherein, be applied to each coding Stochastic choice from multiple coding of intermediate result.

8. as the method in claim 5-7 as described in any one, also comprise: for each intermediate result obtained from M register, to described intermediate result application decoder after obtaining intermediate result from corresponding M register.

9. as the method in claim 3 or 8 as described in any one, wherein, each decoding Stochastic choice from multiple decoding.

10. each decoding as the method in claim 8 or 9 as described in any one, wherein, being applied to the intermediate result obtained from M register was applied to the inverse of the coding of described intermediate result before described intermediate result being stored in corresponding M register.

11. as the method in claim 8 or 9 as described in any one, and wherein, at least one decoding being applied to the intermediate result obtained from M register is not be applied to the inverse of the coding of described intermediate result before described intermediate result being stored in corresponding M register.

12., as the method in claim 5-11 as described in any one, also comprise:

The value being different from intermediate result of at least one action need is stored in the M register of Stochastic choice from multiple M register.

13., as the method in claim 4 or 12 as described in any one, also comprise:

To the value application coding of at least one action need described, described coding is Stochastic choice from multiple coding.

14. as the method in claim 5-13 as described in any one, wherein, and the source that each operation in sequence of operations is selected in by the following group formed: basis function; And the computer executable program code that at least one basis function integrates with it.

15. methods as described in the claim before any, wherein, described permutation polynomial p is the permutation polynomial on mould M ring.

16. methods as described in the claim before any, wherein, for , each value is unique.

17. methods as described in the claim before any, wherein, only just distribute new M register when needing according to node coloring algorithm.

18. methods as described in the claim before any, wherein, array M is stored in computer-readable medium, and described computer-readable medium is from the group selection be made up of all computer-readable mediums used applying the term of execution.

19. 1 kinds of systems, comprising:

Processor; And

Store the computer-readable recording medium of instruction, described instruction makes described processor perform method described in any claim before.